Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
2
Replies

CS-MARS, IIS, 401's (and you)

normalit
Level 1
Level 1

‎12-12-2005 09:25 AM - edited ‎03-09-2019 01:19 PM

I am experiencing a little issue trying to tune out errors from IIS weblogs and integrated authentication.

When you have integrated authentication set up within IIS, the webserver goes through a certain process to force the browser to authenticate. First the browser tries to call up a page, picture or object with a GET request. This fails, forcing back a 401 response and telling the browser to authenicate instead. Then the authenciation comes across (behind the scenes) and the user is let in. Of course, to the user it looks as if everything went through just fine.

Here is an example of what the logs look like:

2005-12-12 01:51:38 172.x.x.x - W3SVC3 <SERVERNAME> 172.x.x.x 80 GET /images/<image>.gif - 401 5 4644 818 16 HTTP/1.1 web.address.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+InfoPath.1) http://web.address.com/

2005-12-12 01:51:38 172.x.x.x DOMAIN\username W3SVC3 <SERVER> 172.x.x.x 80 GET /images/<image>.gif - 304 0 199 409 0 HTTP/1.1 web.address.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+InfoPath.1) http://web.address.com/

This is standard IIS procedure. You will see your logs filled with 401's as users authorize themselves to the page.

Unfortunately, when CS mars gets these IIS logs (using SNARE IIS), it will count the number of 401's and eventually fire saying that there is an attack going on your webserver. If you have a chatty webserver, this can happen constantly.

How would you (the MARS community) suggest tuning out these errors? It's a tricky one, because you still want to be warned for unathorized access, so I don't want to just tune out the rule completely... but at the same token it's not working properly, yet.

This is a common enough error I'm wondering if anyone else has run into it?

Thanks!

-Erik

Labels:
0 Helpful
2 Replies 2

mchin345
Level 6
Level 6

‎12-16-2005 07:50 AM

So, looking at ur pblm and the example, I have a quick question?.Will it be fine if the csmars is able to differenciate an external attack and a web server auth failure?.Just let me know this is ok for u.If s, I can move out to the suggestion.

0 Helpful

normalit
Level 1
Level 1
In response to mchin345

‎12-16-2005 11:39 AM

I'm not exactly sure I understand your question? Yes, the goal of the CS-MARS would be to discover website attacks. However, some of those attacks will be from attempting to log in to authorized only websites. If the hacker attempts on several occasions to access it, I do indeed want to see those 401 errors.

Essentially the way I have the rule tuned right now is anything from the internal network, attempting to hit our intranet or extranet website, has to reach a count of 20 before it will fire the incident. However, even that still fires fairly regularly. The reason? HTTP sessions are numerous and authentication will eventually time out, forcing it to re-authorize while getting these 401 errors.

I don't want to increase the count so high that if a legitement attack came at my webserver, from the inside, I wouldn't see it. But at the same token, seeing all of these false positives really doesn't help much.

0 Helpful
Customers Also Viewed These Support Documents