RE: Seeking additional information about event
From: Gary Halleen (ghalleen@cisco.com)Date: 08/23/02
- Previous message: Aaron Temin: "RE: IDS evaluation"
- In reply to: Schear, Chris: "IDS: Seeking additional information about event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Gary Halleen" <ghalleen@cisco.com> To: "Schear, Chris" <Schear.Chris@principal.com>, <focus-ids@securityfocus.com> Date: Fri, 23 Aug 2002 10:31:46 -0700
Chris,
According to the Network Security Database (NSDB), this means "Certain
versions of Apache HTTP servers contain a vulnerability that allows an
attacker to increase the load average on the server or possibly cause a
denial of service by submitting thousands of slashes ("/") in an HTTP
request. "
Gary
> -----Original Message-----
> From: Schear, Chris [mailto:Schear.Chris@principal.com]
> Sent: Monday, August 19, 2002 3:07 PM
> To: focus-ids@securityfocus.com
> Subject: IDS: Seeking additional information about event
>
>
> Greetings
>
> Our Cisco intrusion detection sensors alerted us to an very large
> number of events via one particular IDS signature, coming from
> one source this morning between 05:08:06am-06:07:14am CST.
> Scouring the web for information about the specifics have not
> been very successful. I was hoping someone could possibly shed
> some additional light on the subject. Complete packet
> information is not available and our details are limited to the
> inherent "context buffer" information provided by our sensors.
> Normally, I would not be concerned about such an alarm,
> especially considering its name does not indicate any severe
> concern - but in that hour we logged a total of 58,976 events
> from this one source. That number of events is far outside of
> "normal", for even the most noisy false positives. If anyone has
> any information about this event, I would appreciate any comments
> you may have.
>
> ------------------------------------------------------
> SIGNATURE ID: 5262 - "Large number of Slashes in URL"
> SEVERITY: Medium
>
> Source Address: 208.37.113.98
> Resolves to: w098.z208037113.nyc-ny.dsl.cnc.net
>
> CONTEXT BUFFER:
> ///////////////////////////main/welcome2.htm HTTP/1.0
>
> Via: 1.0 HAMILTON4
> Host: www.one-of-our-urls.com
>
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
> Fetch API Request
> Connection: Keep-Alive
> If-Modified-Since:Tue, 07 May 2002 20:36:11 GMT
>
> Victim Context:
> x-age=3600
> Expires: Mon, 19 Aug 2002 12:17:26 GMT
> Connection: keep-alive
> Set-Cookie: RANDOM_ID=fc13f8059113422192d0fdecfbdd0bc6; path=/;
> domain=.ourdomain.com; expires=Thursday, 16-Aug-2012 06:15:19 GMT
> ETag: 0a061c18bf7c11:7f8
> Content-Length: 0
> ------------------------------------------------------
>
> The individual's connecting source ports started at 29,223 and
> increased sequentially to 32,894 Numerous different URLs were
> within the context buffers, outside of "welcome2.htm". Some
> additional URLs were:
> ///////////////////////solutions/457_gov.htm HTTP/1.0
> ////////////////////////solutions/ps_gov.htm HTTP/1.0
> ////////////////////////solutions/mp_gov.htm HTTP/1.0
> ////////////////////////solutions/db_gov.htm HTTP/1.0
> ////////////////////////solutions/pd_gov.htm HTTP/1.0
> ///////////////////////solutions/401a_np.htm HTTP/1.0
> ///////////////////////solutions/Investment.htm HTTP/1.0
>
> Thoughts?
>
> Chris Schear
> Principal Financial Group
> IS Network Security
> www.principal.com
>
>
- Previous message: Aaron Temin: "RE: IDS evaluation"
- In reply to: Schear, Chris: "IDS: Seeking additional information about event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
