dotDefender putting wrong result code in IIS log.

February 8, 2010 at 11:38 am (Technology, windows) (, , )

I work with a IIS server that has a application firewall called dotDefender.  This host also has a HIDS (Host Based Intrusion Detection System) called OSSEC.  Which, by the way, I highly recommend, it is an excellent open source software package.  One of the functions of OSSEC is to monitor the IIS logs looking for URL requests that match a pattern of potentially bad requests.  Once it spots one of these requests, it checks the HTTP result code.  If the result code is a success type, then OSSEC will generate an alert.  However, if the result code indicates that there was not success, then no alert will be generated.

I have been receiving many alerts from this web server about bad requests that have resulted in success.  To test exactly what was happening I manually recreated the process that the client makes connecting to the server to see what it responds with.

Trying 192.168.254.30...
Connected to www.mywebserver.com.
Escape character is '^]'.
GET /examples/jsp/source.jsp?%2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec.ncf HTTP/1.1
Host: www.mywebserver.com

HTTP/1.1 302 Denied
Connection: close
Date: Mon, 08 Feb 2010 14:49:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-dotDefender-denied: 1
Location: https://www.mywebserver.com/InvalidRequest.html
Content-Type: text/html

<html></html>Connection closed by foreign host.

Well, that looks good.  The client was given a error 302 which is ‘denied’.  Nice!  But what got logged by IIS for the transaction?

2010-02-08 14:49:09 W3SVC1 www 192.168.254.30 GET /examples/jsp/source.jsp %2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec.ncf 80 - 192.168.254.1 HTTP/1.1 - - - www.mywebserver.com 200 0 0 247 112 5125

Wowzers!  For some reason IIS has logged status code 200, ‘OK’, for that transaction.  This makes it look like that nasty URL has succeeded.  As a result OSSEC does it’s job and alerts me about that.

This behavior by dotDefender is completely wrong.  I’m guessing it’s likely a bug.  They probably don’t have dotDefender reporting the status code correctly into ISS.  I’d trouble shoot and fix it myself if I had access to the source code.  However, the application is proprietary so my hands are tied in that regard.  I have opened a support ticket with the provider AppliCure.  I’ll provide an update when I get more information from them.

Update #1 (Tue Feb  9 11:02:14 EST 2010):

AppliCure has confirmed that the issue is reproducible in their lab.  I actually have a ticket number now.  Exciting!

Update #2 (Tue Mar  2 09:57:40 EST 2010):

Well, I haven’t heard any news from AppliCure support on my ticket in a long time now.  I decided to contact support through the Online Support Chat widget.  For some reason, I never receive any emails from their support department.  They tell me that they are still investigating the issue.  They hope to have a fix in the next release.  The next release?  They can’t give me a fix for it?  Ouch.  They will call me to let me know when the next release is available and if it contains the fix.

Advertisements

Permalink 3 Comments