I work with a IIS server that has a application firewall called dotDefender. This host also has a HIDS (Host Based Intrusion Detection System) called OSSEC. Which, by the way, I highly recommend, it is an excellent open source software package. One of the functions of OSSEC is to monitor the IIS logs looking for URL requests that match a pattern of potentially bad requests. Once it spots one of these requests, it checks the HTTP result code. If the result code is a success type, then OSSEC will generate an alert. However, if the result code indicates that there was not success, then no alert will be generated.
I have been receiving many alerts from this web server about bad requests that have resulted in success. To test exactly what was happening I manually recreated the process that the client makes connecting to the server to see what it responds with.
Trying 192.168.254.30... Connected to www.mywebserver.com. Escape character is '^]'. GET /examples/jsp/source.jsp?%2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec.ncf HTTP/1.1 Host: www.mywebserver.com HTTP/1.1 302 Denied Connection: close Date: Mon, 08 Feb 2010 14:49:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-dotDefender-denied: 1 Location: https://www.mywebserver.com/InvalidRequest.html Content-Type: text/html <html></html>Connection closed by foreign host.
Well, that looks good. The client was given a error 302 which is ‘denied’. Nice! But what got logged by IIS for the transaction?
2010-02-08 14:49:09 W3SVC1 www 192.168.254.30 GET /examples/jsp/source.jsp %2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec.ncf 80 - 192.168.254.1 HTTP/1.1 - - - www.mywebserver.com 200 0 0 247 112 5125
Wowzers! For some reason IIS has logged status code 200, ‘OK’, for that transaction. This makes it look like that nasty URL has succeeded. As a result OSSEC does it’s job and alerts me about that.
This behavior by dotDefender is completely wrong. I’m guessing it’s likely a bug. They probably don’t have dotDefender reporting the status code correctly into ISS. I’d trouble shoot and fix it myself if I had access to the source code. However, the application is proprietary so my hands are tied in that regard. I have opened a support ticket with the provider AppliCure. I’ll provide an update when I get more information from them.
Update #1 (Tue Feb 9 11:02:14 EST 2010):
AppliCure has confirmed that the issue is reproducible in their lab. I actually have a ticket number now. Exciting!
Update #2 (Tue Mar 2 09:57:40 EST 2010):
Well, I haven’t heard any news from AppliCure support on my ticket in a long time now. I decided to contact support through the Online Support Chat widget. For some reason, I never receive any emails from their support department. They tell me that they are still investigating the issue. They hope to have a fix in the next release. The next release? They can’t give me a fix for it? Ouch. They will call me to let me know when the next release is available and if it contains the fix.