cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1039
Views
0
Helpful
15
Replies

False Positives with S222's 5737 Signature

DFiore
Level 1
Level 1

Since I've installed S222 on IDS 4.1-5 I get 5737 firing off "from" servers (web mail server) to "clients" (users windows PC. I don't understand why this is. When I look at the Decoded Alarm Context in the IDS Event Viewer I see the following code:

Decoded Alarm Context(Signature Name='Internet Explorer Action Handlers Overflow' Event ID='1080215312272014483' Device Name='fmb_4235' Event UTC Time='1143214734203141000'):

From attacker: Mail</FONT></A>

</TD>

</TR>

<TR>

<TD> </TD>

<TD ALIGN="left" VALIGN="top">-  </TD>

<TD ALIGN="left" VALIGN="top">

<A HREF="addrbook.6480.cgi?uid=anettle&mbx=Main" onMouseOve

Remember, my event viewer says the source IP is my webmail server and the destination IP is the users PC. Is the sig firing because the this web page is complex? This is not happening all the time. It is sporadic but consistent since I installed sig S222.

Any help is greatly appreciated...

15 Replies 15

DFiore
Level 1
Level 1

I had to re-enter the Decoded Alarm Context again:

Decoded Alarm Context(Signature Name='Internet Explorer Action Handlers Overflow' Event ID='1080215312272014483' Device Name='fmb_4235' Event UTC Time='1143214734203141000'):

From attacker: Mail

 

-  

< TD ALIGN="left" VALIGN="top">

< A HREF = "addrbook.6480. cgi? uid = mhernfield&mbx=Main" onMouseOve

john.stephens
Level 1
Level 1

I saw a lot of those too, internal user to internal server after S222. The signature seemed to be working correctly, since it's looking for a large amount of script action handlers on the web page. I just don't know, and didn't research it enough, to find the the threshold for the signature was. Does you webserver HTML coder contain a lot of script action handlers? Are they all one handler- one event? I looked at the code on a couple that were triggering and they did have a lot of the handlers. 1 to 1. I'm not a coder, but it can I think the HTML can also be written 1 handler to multiple events. I recommend filtering your web servers as the source IP. The signature triggers on the data coming back from the server. This should help cut down the alerts, and still let you see if one of your users goes to an untrusted site that might have a handler overflow.

That magic number is 2000. We've had a report of one other false positive. The value set in the signature is sufficient to trigger the overflow. You *could* raise that limit, but that opens the doors for a false negative. In your case, I'd suggest simply filtering out the mail server.

Thank you both (John and Cisco) for your advice. Again, I just want to make sure that you both know that the "attack" source has only been my internal servers and the attack destination has been user PC's in my network and only a few outside my network.

Now my next question will suprise you... How can I filter the server IP's with only cmd line access to IDS device? I generally never touch the inner workings- I only update the sig sets from the "conf term" command line. Any help or direction (link on Cisco's site) would be greatly appreciated.

Thanks Again,

David

Have you every tried IDM? just do https://(sensor IP). You might need to run setup from command line to ensure the webserver is configured, but it might already be ready to go for you. If you've only used the CLI, then IDM will be a little break for you. If you can get in there, go to configuration, event filters...I'd have to look for the rest. I normally uses VMS for filters and CLI for everything else.

And if you don't have or want to use IDM, here is some CLI guidance:

To configure alarm channel event filters, follow these steps:

--------------------------------------------------------------------------------

Step 1 Log in to the CLI using an account with administrator or operator privileges.

Step 2 Enter configuration mode:

sensor# configure terminal

Step 3 Enter alarm channel configuration mode:

sensor(config)# service alarm-channel-configuration virtualAlarm

Step 4 Enter tune alarm channel submode:

sensor(config-acc)# tune-alarm-channel

Step 5 Enter event filter submode:

sensor(config-acc-virtualAlarm)# eventFilter

Step 6 Type the following command to configure a filter:

sensor(config-acc-virtualAlarm-Eve)# Filters SIGID signature-id SubSig

sub-id SourceAddrs ipaddress DestAddrs ipaddress Exception true | false

Link from Cisco on this:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_installation_and_configuration_guide_chapter09186a008035809d.html#wp87558

John,

Thanks for the steps to do this from the cmd line. But, are you still getting the action handler overflows?

I've been reading about this on the web http://www.securiteam.com/windowsntfocus/5KP0P00I0K.html

Here are some thoughts: How can this be happening FROM my webserver TO a browser on the outside? What's causing the webserver to do this? Is it more likely this is a problem in how the browser handles info from the page? Rather, I'm really seeing a listing of those people on the outside who are using a particular version of IE?

I am also seeing thousands of false positive alerts daily. (4000) They are all triggered by valid traffic. I enabled packet capture to make sure but apparently those packets are exceeding the 2000 threshold.

I have tuned the signature to Medium for now.

REALLY... 4,000 a day? I'm seeing about 30 a day. Half from the internal webmail server to internal users and half from the external website to users on the outside...

Hopefully, other Cisco IDS/IPS users are having this issue as well. Either we have uncovered (by the S222 sig) a serious "existing" compromise of our web servers (somebody planted html code on our websevers?) or something else is going on with the S222 sig between the server and IE.

I have faith that the folks at Cisco are looking into this issue.

Yes, 4000+ a day. I will submit code tomorrow so Cisco can analyze it a bit better. Maybe we have a weird setup but I really don't think so. If these are positive then I have other issues to deal with. As soon as the sig was sent to the sensors it started firing all over the place.

Anyone know how to send the trigger packets. I know how to send the iplogs, (version 4.1 sensors) but I don't see where the trigger packet info is stored via cli. I can use snagit to show it but that is less useful, or at least more cumbersome to use.

Sorry, I don't know how to do that. Hopefully somebody on the forum can help?

The numbers you guys are reporting are pretty similar to what I was seeing. I have already analyzed the packets and forced the alert to trigger repeatedly in my lab, on normal traffic. I believe the signature is doing exactly what it was written to do, it triggers an alert for every 2000 script action handlers that it sees within a packet within 30 seconds (I believe that is the time.), from the same source/dest. combo. The key to this signature is that it would effectively catch a handler overflow, however it is also going to catch normal activity. Given this fact it's important to filter your own webservers if they trigger the alert, because your servers many have a lot of handlers, but your site isn't trying to do a handler overflow. If you don't filter your own web server, then it will trigger alarms (showing your IP as the source) following the get request from whomever surfs to your web page and likely accesses more then one area of your site within the 30 seconds.

If you guys are interested in doing a packet capture and some test of this alarm from a website that is normal do this:

Imagine your a user and you want to shop for appliances at Costco. You'll go out to http://costco.com. (resolves to 170.167.8.1) The page loads, no alarm triggers at first. But you know you want to look at applicance, so right away you click on the appliances menu on the web site. Now you have loaded script handlers from the main web page and the appliances web page of Costco.com. Too many handlers in 30 seconds and an alarm triggers. If you do the above it will happen everytime.

To capture these packets, either log the packet for the alert or do what I prefer. tcpdump

log into the sensor as tac (your service account). SU - to get to root. Then do the following.

tcpdump -i eth0 -s 2500 host 170.167.8.1 -w 5737test

If your sensing interface isn't eth0, then change that to eth1, 2 or whatever it is. If you don't know it, do an "ifconfig" from the CLI to look at the interfaces.

After your capture is running browse the Costco website main page and then one or more menu areas. An alert should trigger. Switch back to your capture, control C to stop it. Now ftp the 5737test file from the sensor to a system that can read it within a packet analyzer. Or if Cisco wants it, determine where they want you to send it. I use Ethereal to analyze the packets, but there are others that are good too.

My opinion on the signature is that maybe it could be tuned a bit better, but I don't know all the details of the overflow. Since the signature is doing what it is doing, then filter your servers. Analyze other servers that you see alerts from, if they are all normal then filter them too. Since the alarm will trigger on good and bad, I agree with downgrading it from high to something lower, because a lot of the alerts won't be cause for real alarm.

So kind of a lot of info above, but hopefully that will help a bit.

Filtering is good if you are a small/medium size corporation. When you are as large as we are, filtering out hundreds of webservers, proxy servers and outside servers on many sensors is not a good alternative. If the sig can not be tuned better to truly identify malicious intent, then it is usless to us.

We are currently researching to improve this signature further. If you have any traffic samples or any show event alert information it would help us greatly in our research.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: