2 Replies Latest reply on Mar 20, 2014 9:20 AM by 4nsicguy

    Same URL has two different categories?

    4nsicguy

      Hey All,

       

      Came accross a host going to the same URL multiple times throughout the day and found MWG has two seperate categories (Malicious Sites/ Unknown). The only difference I am seeing is the http response (403 and 407(authentication required)), and the request with unknown category did not have a user associated with the request. Site doesn't appear to be malicious via VT just thought it was strange. Does anyone know the reason for this, or experiencing the same issue?

       

      URL: hzzp://logs[.]spilgames[.]com/lg/pb/1/ut/

        • 1. Re: Same URL has two different categories?
          sroering

          You should see that the 403/407 are always followed by the same request that includes a category and username.  What you are seeing is the first request is unauthenticated, and the client is redirected for authentication before doing categorization.  So the first request won't have a username or a category.  After being authenticated, they are redirected back to the original URL and your normal policy would be applied, including categorization.

           

          For this reason, Web Reporter and CSR both drop 403/407 requests during log parsing.

          • 2. Re: Same URL has two different categories?
            4nsicguy

            Thank you very much for your quick response. Your information was very helpful.