Cisco Support Community
Community Member

CS-MARS, IIS, 401's (and you)

I am experiencing a little issue trying to tune out errors from IIS weblogs and integrated authentication.

When you have integrated authentication set up within IIS, the webserver goes through a certain process to force the browser to authenticate. First the browser tries to call up a page, picture or object with a GET request. This fails, forcing back a 401 response and telling the browser to authenicate instead. Then the authenciation comes across (behind the scenes) and the user is let in. Of course, to the user it looks as if everything went through just fine.

Here is an example of what the logs look like:

2005-12-12 01:51:38 172.x.x.x - W3SVC3 <SERVERNAME> 172.x.x.x 80 GET /images/<image>.gif - 401 5 4644 818 16 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+InfoPath.1)

2005-12-12 01:51:38 172.x.x.x DOMAIN\username W3SVC3 <SERVER> 172.x.x.x 80 GET /images/<image>.gif - 304 0 199 409 0 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+InfoPath.1)

This is standard IIS procedure. You will see your logs filled with 401's as users authorize themselves to the page.

Unfortunately, when CS mars gets these IIS logs (using SNARE IIS), it will count the number of 401's and eventually fire saying that there is an attack going on your webserver. If you have a chatty webserver, this can happen constantly.

How would you (the MARS community) suggest tuning out these errors? It's a tricky one, because you still want to be warned for unathorized access, so I don't want to just tune out the rule completely... but at the same token it's not working properly, yet.

This is a common enough error I'm wondering if anyone else has run into it?




Re: CS-MARS, IIS, 401's (and you)

So, looking at ur pblm and the example, I have a quick question?.Will it be fine if the csmars is able to differenciate an external attack and a web server auth failure?.Just let me know this is ok for u.If s, I can move out to the suggestion.

Community Member

Re: CS-MARS, IIS, 401's (and you)

I'm not exactly sure I understand your question? Yes, the goal of the CS-MARS would be to discover website attacks. However, some of those attacks will be from attempting to log in to authorized only websites. If the hacker attempts on several occasions to access it, I do indeed want to see those 401 errors.

Essentially the way I have the rule tuned right now is anything from the internal network, attempting to hit our intranet or extranet website, has to reach a count of 20 before it will fire the incident. However, even that still fires fairly regularly. The reason? HTTP sessions are numerous and authentication will eventually time out, forcing it to re-authorize while getting these 401 errors.

I don't want to increase the count so high that if a legitement attack came at my webserver, from the inside, I wouldn't see it. But at the same token, seeing all of these false positives really doesn't help much.

CreatePlease to create content