dotDefender putting wrong result code in IIS log.

February 8, 2010 at 11:38 am (Technology, windows) (, , )

I work with a IIS server that has a application firewall called dotDefender.  This host also has a HIDS (Host Based Intrusion Detection System) called OSSEC.  Which, by the way, I highly recommend, it is an excellent open source software package.  One of the functions of OSSEC is to monitor the IIS logs looking for URL requests that match a pattern of potentially bad requests.  Once it spots one of these requests, it checks the HTTP result code.  If the result code is a success type, then OSSEC will generate an alert.  However, if the result code indicates that there was not success, then no alert will be generated.

I have been receiving many alerts from this web server about bad requests that have resulted in success.  To test exactly what was happening I manually recreated the process that the client makes connecting to the server to see what it responds with.

Trying 192.168.254.30...
Connected to www.mywebserver.com.
Escape character is '^]'.
GET /examples/jsp/source.jsp?%2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec.ncf HTTP/1.1
Host: www.mywebserver.com

HTTP/1.1 302 Denied
Connection: close
Date: Mon, 08 Feb 2010 14:49:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-dotDefender-denied: 1
Location: https://www.mywebserver.com/InvalidRequest.html
Content-Type: text/html

<html></html>Connection closed by foreign host.

Well, that looks good.  The client was given a error 302 which is ‘denied’.  Nice!  But what got logged by IIS for the transaction?

2010-02-08 14:49:09 W3SVC1 www 192.168.254.30 GET /examples/jsp/source.jsp %2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec.ncf 80 - 192.168.254.1 HTTP/1.1 - - - www.mywebserver.com 200 0 0 247 112 5125

Wowzers!  For some reason IIS has logged status code 200, ‘OK’, for that transaction.  This makes it look like that nasty URL has succeeded.  As a result OSSEC does it’s job and alerts me about that.

This behavior by dotDefender is completely wrong.  I’m guessing it’s likely a bug.  They probably don’t have dotDefender reporting the status code correctly into ISS.  I’d trouble shoot and fix it myself if I had access to the source code.  However, the application is proprietary so my hands are tied in that regard.  I have opened a support ticket with the provider AppliCure.  I’ll provide an update when I get more information from them.

Update #1 (Tue Feb  9 11:02:14 EST 2010):

AppliCure has confirmed that the issue is reproducible in their lab.  I actually have a ticket number now.  Exciting!

Update #2 (Tue Mar  2 09:57:40 EST 2010):

Well, I haven’t heard any news from AppliCure support on my ticket in a long time now.  I decided to contact support through the Online Support Chat widget.  For some reason, I never receive any emails from their support department.  They tell me that they are still investigating the issue.  They hope to have a fix in the next release.  The next release?  They can’t give me a fix for it?  Ouch.  They will call me to let me know when the next release is available and if it contains the fix.

Advertisements

3 Comments

  1. Event Management Courses : said,

    it jobs are very much in demand these days because of technology boom-“

  2. Hildegarde said,

    Wonderful beat ! I would like to apprentice even as you amend your web site, how
    can i subscribe for a blog site? The account aided me a
    applicable deal. I have been a little bit acquainted of this
    your broadcast provided brilliant transparent idea

  3. Vigrx Cheap said,

    It’s really a cool and helpful piece of info. I’m satisfied that you simply shared
    this useful info with us. Please keep us up to date like
    this. Thank you for sharing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: