The STATE.HTTP Micro-Engine
The STATE micro-engine encompasses the 3000
and 5000 series signatures. There are approximately 415 signatures covered in
this micro-engine. The STAT.HTTP micro-engine is especially helpful if you are
running a web server on nonstandard HTTP ports. Use the Configuration | Sensing Engine | Signature Configuration | STATE.HTTP
Service Ports in IDM to add those ports (see Figure 7.15). Choose option 14 for configuring the parameters in SigWizMenu. For all
the configuration parameters for this engine, refer to Table 7.9. Examples of some
of these signatures are
-
3221-WWW cgi-viewsource Attack Fires when
someone attempts to use the cgi-viewsource script to view files above the http
root directory.
-
3222-WWW PHP Log Scripts Read
Attack Fires when someone attempts to use the PHP scripts mlog or mylog to view files on a
machine.
-
3223-WWW IRIX cgi-handler Attack Fires
when someone attempts to use the cgi-handler script to
execute commands.
-
3224-HTTP WebGais Fires when someone
attempts to use the webgais script to run arbitrary
commands.
-
3225-WWW websendmail File Access Fires
when unauthorized attempts are made to read a file using the websendmail CGI program.
-
3226-WWW Webdist Bug Fires when attempts
are made to use the webdist program. False positive alarms
will fire from legitimate use of the webdist program.
-
3227-WWW Htmlscript Bug Fires when
attempts are made to view files above the html root directory.
-
3228-WWW Performer Bug Fires when
attempts are made to view files above the html root directory.
-
3229-Website Win-C-Sample Buffer
Overflow Fires when attempts are made to access the win-c-sample program in the WebSite server distribution.
Testing new Web site servers or upgrades using the win-c-sample program can
cause false positives. This script is for testing purposes and should be removed
on production servers.
-
3230-Website Uploader Fires when attempts
are made to access the uploader program in the Web site server
distribution.
For a full list of all of these signatures, refer to Appendix A.
Table 7.9: STATE.HTTP Parameters
|
Parameter |
Data Type |
Protected |
Required |
Description |
|
Master parameters |
|
|
|
Refer to Table 7.1 for the master parameters. |
|
ArgNameRegex |
Number |
Yes |
No |
Regular expression searches the HTTP Arguments
field. |
|
ArgValueRegex |
Number |
Yes |
No |
Regular expression searches the HTTP Arguments field after
ArgNameRegex is matched. You have todefine ArgNameRegex for this match to work.
It is an ordered match. |
|
Deobfuscate |
Boolean True/False |
No |
No |
Use anti-evasive deobfuscation prior to searching for the
RegexString. |
|
Direction |
Boolean from Service to Service |
Yes |
No |
Indicates the direction in which the sensor is watching
traffic at the service port. |
|
HeaderRegex |
String |
Yes |
No |
Regular expression used to search within the HTTP Header
field. |
|
MaxArgFieldLength |
Number |
No |
No |
Maximum length of the Arguments field. |
|
MaxHeaderField Length |
Number |
No |
No |
Maximum length of the Header field. |
|
MaxRequestField Length |
Number |
No |
No |
Maximum length of the Request field. |
|
MaxUriFieldLength |
Number |
No |
No |
Maximum length of the URI field. |
|
ServicePorts |
Set |
No |
No |
Comma-separated list of ports or port ranges where the
service resides. |
|
UriRegex |
String |
Yes |
No |
Regular expression to use to search within the HTTP URI
field. |
Sections
Comments (0 posted)
Syndication
