Symantec™ Security Gateways Reference Guide - Sawmill

IDS eventsSignatures361HTTP MS IIS TranslateF RequestBase Event:Details:Response:Microsoft IIS 5.0 lets remote attackers obtain source code for .ASP files and other scripts by meansof an HTTP GET request with a “Translate: f” header, also known as the “Specialized Header”vulnerability.Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR,and so forth. The scripting engines handle requests for these file types, processes themaccordingly, and then executes them on the server.It is possible to force the server to send back the source of known scriptable files to the client if theHTTP GET request contains a specialized header with ‘Translate: f’ at the end of it, and if a trailingslash ‘/’ is appended to the end of the URL. The scripting engine will locate the requested file,however, it will not recognize it as a file that needs to be processed and will proceed to send the filesource to the client.Contact Microsoft for the latest patches.Affected: Microsoft IIS 5.0False Positives: This signature can produce false positives when users give commands with tilde (~) characters.References Security Focus BID: 1578CVE-2000-0778Microsoft Security Bulletin: MS00-033HTTP Tomcat Cross Site ScriptingBase Event:Details:Response:TOMCAT_CROSS_SITEApache Tomcat is a freely available, open source Web server maintained by the Apache Foundation.It is available for use on UNIX and Linux variants as well as Microsoft Windows operatingenvironments. A vulnerability has been reported for Apache Tomcat 4.0.3 on Microsoft Windowsand Linux platforms. Reportedly, it is possible for an attacker to launch a cross site scripting attack.When servlet mapping is enabled, it is possible to invoke various servlets and cause Apache Tomcatto throw an exception. This will make cross site scripting attacks possible.The ‘invoker’ servlet is mapped to ‘/servlet/’. This mapping allows for the execution of anonymousservlet classes that have not been defined in the file, /tomcat-install-dir/conf/web.xml.This may enable a remote attacker to steal cookie-based authentication credentials from legitimateusers of a host running Apache Tomcat.Use proxy servers to filter untrusted traffic. Filtering scripts from inappropriate sources is a goodpolicy, but you should design rules with care to ensure they not only allow acceptable activity butare also effective. You should ensure that the filtering rules and/or underlying software recognizeURL encoded characters, unexpected combinations of characters, or extra whitespace, for example.Try to make rule sets as comprehensive (or non-specific) as possible without affecting acceptableusage.Set Web browser security to disable the execution of script code or active content. If it is notrequired, disable Java Script (and other script) execution in your Web browser. This is particularlycrucial on systems used for maintenance of your infrastructure, production workstations, etc.Deploy network intrusion detection systems to monitor network traffic for malicious activity. As apart of a comprehensive security policy, you should monitor for unexpected behavior occurring onyour network and inspect all instances to determine the source and purpose. Types of activity thatshould be monitored include: unexpected changes in network performance such as variations intraffic load at specified times; traffic coming from or going to unexpected locations; connectionsmade at unusual times; repeated, failed connection attempts; unauthorized scans and probes; nonstandardor malformed packets (protocol violations). It is important to regularly audit logs.