Web Server and IDS logs at the same access time period, what to do for the alert?
Below is the IDS Alerts and the web server log from the same time period, what would i do in response to the Alert?
/usr/local/apache/access.log: 72.140.131.231 - - [03/Apr/2007:15:31:27 -0400] "GET / HTTP/1.1" 304 - 72.140.131.231 - - [03/Apr/2007:16:19:03 -0400] "GET / HTTP/1.1" 200 44 72.140.131.231 - - [03/Apr/2007:16:29:31 -0400] "GET /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 227 72.140.131.231 - - [03/Apr/2007:16:29:31 -0400] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 227 /var/log/snort/snort.log: Apr 3 16:31:25 Snort snort[2217]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} 72.140.131.231:13446 -> 192.168.1.1:80 Apr 3 16:31:27 Snort snort[2217]: [1:1807:10] WEB-MISC Chunked-Encoding transfer attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 72.140.131.231:13449 -> 192.168.1.1:80 Apr 3 16:31:27 Snort snort[2217]: [1:1248:13] WEB-FRONTPAGE rad fp30reg.dll access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 72.140.131.231:13449 -> 192.168.1.1:80 Apr 3 16:31:27 Snort snort[2217]: [1:1288:8] WEB-FRONTPAGE /_vti_bin/ access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 72.140.131.231:13449 -> 192.168.1.1:80 Apr 3 16:31:27 Snort snort[2217]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} 72.140.131.231:13449 -> 192.168.1.1:80 |
Well except for maybe banning the offending ip address, nothing. Your server 404'd (not found/inaccessible) those files and unless you have the frontpage extensions it was just someone probing. Course if you're running the frontpage extensions someone attempting to find vulnerabilities on your server is the least of your concerns.
|
I agree with rweaver...consider it benign unless you're actually affected.
Nice to see someone actually conducting log correlation, though! |
All times are GMT -5. The time now is 03:42 AM. |