signature 5392,5393

darin.marais · ‎11-13-2003

If a internal user connects to an Internet web page via an proxy, is the user still vulnerable to the attack listed in signature id 5392

Current Signature: Engine STRING.TCP SIGID 5392 SigName: Internet Explorer XML Object Overflow Type 1

11 - ServicePorts = 80

Will I need to add the internet proxy port to the list of service ports in order to detect the victim’s IP address (internal user) as oppose to just having the source IP address of the internet proxy server

derwalke · ‎11-13-2003

Assuming that the IDS is on the internal side of the proxy along with the user, you would need to make sure that the signature had the port added that the internal users use to go over the proxy. In this scenario, you would see who the 'vitims' were but all 'attackers' would have the proxy IP address. If the IDS is on the other side (outside) of the proxy, you will see all of the attackers IPs, but will be unable to see the 'victims' no matter which ports are used.

darin.marais · ‎11-13-2003

Firstly, thank you for your reply. I am sorry if I sound just a little confused in my response but here goes.

There are more than just one just signature that will use serviceport=80 as a parameter for tuning the signature. I have used this signature, id =5392, as an example for my post.

* Will I need to go to each of these signatures and update it with the proxy port?

* Is there a way to update globally all web signatures that use serviceport =80,443 etc?

* Is this something that would be recommended or is it better practice to leave the signature as it is with out alteration. What do others do when faced with the same situation?

IMHO, I am not a big fan of changing the defaults of a signature unless of course it is a signature that uses a flood engine to discover abnormalities. I prefer to leave as much as possible as default but still gain the maximum ability to discover attacks for both the source and the destination when there is a proxy in the middle.

klwiley · ‎11-13-2003

* Will I need to go to each of these signatures and update it with the proxy port?

No, this is not needed if you are running 4.0 or later.

* Is there a way to update globally all web signatures that use serviceport =80,443 etc?

Yes, there is a System Variable named WEBPORTS that these signatures are using to define their Service Ports. You can add your proxy port to the list.

* Is this something that would be recommended or is it better practice to leave the signature as it is with out alteration.

In this case you should add the port as without this you will not be able to detect any activity on the proxied server. This might cause a problem with false positives, but I suspect it won't. Since you can simply add the proxy port to the already existing list you will still be covered on any non-proxied traffic.

Your policy of not altering the default behavior of a signature is well founded. This could result in the signature not functioning as coded, however it is acceptable to make changes that mold the signature to your environment. We typically protect the core nature of the signature we write so they can not be altered too badly, but there is still danger in modifying parameters that you do not fully understand.

Best advice ask we are always here to help.