cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dotax
Level 9
Report Inappropriate Content
Message 1 of 3

Web Server replied traffic triggered attack

Hi all,

Our IPS is placing behind linux web server for the main purpose to protect incoming threats into the web server. However, somehow we saw the web server replied traffics to client triggers IPS alerts, most of it is HTTP related attacks such as "HTTP: Microsoft Windows HTTP Services Integer Underflow Vulnerability".

By analyzing from the attack log details as below, we quite sure it is a web server replied traffic

Source : Web Server IP

Port : 80

Destination : Client IP

Port : <some random port more than 1024>

We are quite unsure how should we handle this situation given that outgoing web reply traffic seems like should not causing security impact to our web server than incoming web request traffic.

Plus, the replied traffic triggers windows based attack , but our web server is linux based.

Hope to have some recommendation from here.

Thank you.

2 Replies
petermason
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Web Server replied traffic triggered attack

Hi Dotax,

Unless you have integrated your NSM with EPO it will not be able to determine what OS the Source is running.

You should follow the process described in KB55743 to report this to the support team.

How to submit Network Security Platform false positives and incorrect detections to Technical Support

https://kc.mcafee.com/agent/index?page=content&id=KB55743

It may just be triggering on traffic that could be vulnerable to these attacks.

Peter

d_aloy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: Web Server replied traffic triggered attack

Hi Dotax

This signature requires HTTP response to be enabled on the sensor in order to trigger. If you look at the attack description, there are 2 signatures:

Signature#1

condition 1

http-rsp-chunk-read-body-length > 0x80000000 ( unsigned )

Signature#2

condition 1

http-req-user-agent-header matches "WinHTTP" ( case-sensitive )

[AND] http-rsp-header matches "\x0a\x50\x6f\x43\x0d\x0a" ( case-sensitive )

[AND] http-rsp-header matches "\x66\x66\x63\x30\x30\x30" ( case-sensitive )

If you look at the triggered alerts, it should tell you which is the signature triggering - and I am guessing is sig#1 as it is just looking at the response body length.

If that is the case then you should be able to tune out the signature for the specific linux web servers, either using policies or ignore rules.

HTH.

Regards

David

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community