Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 05-19-2010, 12:19 PM   #1
LQ Newbie
Registered: May 2010
Posts: 7

Rep: Reputation: 0
Web Server and IDS logs at the same access time period, what to do for the alert?

Below is the IDS Alerts and the web server log from the same time period, what would i do in response to the Alert?

/usr/local/apache/access.log: - - [03/Apr/2007:15:31:27 -0400] "GET / HTTP/1.1" 304 - - - [03/Apr/2007:16:19:03 -0400] "GET / HTTP/1.1" 200 44 - - [03/Apr/2007:16:29:31 -0400] "GET /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 227 - - [03/Apr/2007:16:29:31 -0400] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 227

Apr 3 16:31:25 Snort snort[2217]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} ->
Apr 3 16:31:27 Snort snort[2217]: [1:1807:10] WEB-MISC Chunked-Encoding transfer attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} ->
Apr 3 16:31:27 Snort snort[2217]: [1:1248:13] WEB-FRONTPAGE rad fp30reg.dll access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} ->
Apr 3 16:31:27 Snort snort[2217]: [1:1288:8] WEB-FRONTPAGE /_vti_bin/ access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} ->
Apr 3 16:31:27 Snort snort[2217]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} ->
Old 05-19-2010, 02:22 PM   #2
Senior Member
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 167Reputation: 167
Well except for maybe banning the offending ip address, nothing. Your server 404'd (not found/inaccessible) those files and unless you have the frontpage extensions it was just someone probing. Course if you're running the frontpage extensions someone attempting to find vulnerabilities on your server is the least of your concerns.

Last edited by rweaver; 05-19-2010 at 02:24 PM.
Old 05-25-2010, 08:49 AM   #3
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
I agree with rweaver...consider it benign unless you're actually affected.

Nice to see someone actually conducting log correlation, though!


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Oracle 9i Alert logs cmontr Linux - General 3 12-11-2007 05:21 PM
restricting web access by time thagu Linux - Networking 2 03-01-2006 12:43 PM
Can't access Linux web server web pages from LAN client jaydave Linux - Networking 4 03-16-2003 02:38 AM
Tomcat jakarta server is shutting down after particular time period(critical) fmohideen76 Linux - General 1 07-11-2002 06:10 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:51 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration