Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Attacks severity based on webserver reply

Cisco and guys,

how good is an idea to define an severity of webserver attacks based on

direction of attack and webserver reply.

Means, for example:

CodeRed incoming is minor, CodeRed (or simular) outgoing is critical

(could be a diff. signature on sensor)

Error 404 on Nimda (or simular) is minor, Error 200 on Nimda is critical

(HTTP engine should be modified?)

2 REPLIES
Cisco Employee

Re: Attacks severity based on webserver reply

CodeRed incoming is minor, CodeRed (or simular) outgoing is critical

(could be a diff. signature on sensor)

- This can be done today, by creating two signatures for CodeRed.

The first signature would be configured with a minor severity and you would setup an exclude to filter the signature when the source is IN your network.

So it will only fire when the source is OUTside your network.

The second signature would be configured with a critical severity and you would setup an exclude to filter the signature when the source is OUTside your network.

Error 404 on Nimda (or simular) is minor, Error 200 on Nimda is critical

(HTTP engine should be modified?)

- This would take modification to the HTTP Engine. Engineering is evaluating the enhancement request.

SIDE NOTE: Cisco has recently announced it's intent to purchase Psionic Technologies. Psionic has the product Clear Response which receives IDS alerts and then checks them against your network to help eliminate false positives.

You can read more about Psionic and their Clear Response tool at:

www.psionic.com.

New Member

Re: Attacks severity based on webserver reply

For Nimda (not all sigs) you can use the way the worm works to eliminate some of the attacks. For instance it initially does a c+dir command to see what the response code is. You will see a lot of these "minor". If the return code is what it is expecting (which is either a search for return 200 or not recieving a specific 400 request) then Nimda will actively attack. This means you will see the signatures contain payloads such as ("httpdodbc.dll" "admin.dll) and others. This would mean an active Nimda infection attempt is under way .

99
Views
0
Helpful
2
Replies
CreatePlease login to create content