Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
240
Views
0
Helpful
2
Replies

Attacks severity based on webserver reply

DSmirnov
Level 1
Level 1

‎11-24-2002 04:31 PM - edited ‎03-09-2019 01:11 AM

Cisco and guys,

how good is an idea to define an severity of webserver attacks based on

direction of attack and webserver reply.

Means, for example:

CodeRed incoming is minor, CodeRed (or simular) outgoing is critical

(could be a diff. signature on sensor)

Error 404 on Nimda (or simular) is minor, Error 200 on Nimda is critical

(HTTP engine should be modified?)

Labels:
0 Helpful
2 Replies 2

marcabal
Cisco Employee
Cisco Employee

‎11-24-2002 04:55 PM

CodeRed incoming is minor, CodeRed (or simular) outgoing is critical

(could be a diff. signature on sensor)

- This can be done today, by creating two signatures for CodeRed.

The first signature would be configured with a minor severity and you would setup an exclude to filter the signature when the source is IN your network.

So it will only fire when the source is OUTside your network.

The second signature would be configured with a critical severity and you would setup an exclude to filter the signature when the source is OUTside your network.

Error 404 on Nimda (or simular) is minor, Error 200 on Nimda is critical

(HTTP engine should be modified?)

- This would take modification to the HTTP Engine. Engineering is evaluating the enhancement request.

SIDE NOTE: Cisco has recently announced it's intent to purchase Psionic Technologies. Psionic has the product Clear Response which receives IDS alerts and then checks them against your network to help eliminate false positives.

You can read more about Psionic and their Clear Response tool at:

www.psionic.com.

0 Helpful

ktimm
Level 1
Level 1
In response to marcabal

‎11-25-2002 11:54 AM

For Nimda (not all sigs) you can use the way the worm works to eliminate some of the attacks. For instance it initially does a c+dir command to see what the response code is. You will see a lot of these "minor". If the return code is what it is expecting (which is either a search for return 200 or not recieving a specific 400 request) then Nimda will actively attack. This means you will see the signatures contain payloads such as ("httpdodbc.dll" "admin.dll) and others. This would mean an active Nimda infection attempt is under way .

0 Helpful
Customers Also Viewed These Support Documents