1 Reply Latest reply on Apr 29, 2015 3:22 AM by lnurmi

    bad signature - HTTP_SHS-Server-Version-Number-Disclosure

    jonlittleit


      Anyone get this signature which is vary noisey.

        • 1. Re: bad signature - HTTP_SHS-Server-Version-Number-Disclosure
          lnurmi

          Hi,

           

          this situation is not logged by default in any inspection template. It's located inside inspection policy in the Traffic Identification category, under Possibly Unwanted Content. So if you've manually set this situation or either of those situation categories to be inspected and/or logged, you may see this. The situation triggers if HTTP response from server includes a version number (digit followed by period followed by digit) in the "Server" or "X-Powered-By" header field. If there is traffic to such server going through firewall and you inspect and/or log this situation, you may see a lot of these situations. This situation has last been updated in update package 566, if you have an older one installed then to rule out false positives I recommend installing the latest package.

           

          The situation severity is low. The Server response-header field contains information about the software used by the origin server to handle the request. If server includes version number in response header it can be considered as harmful configuration disclosure when it clues an attacker of potential vulnerabilities. If a server you administer is sending the HTTP responses which trigger this situation, it may be considered best practice to modify the server configuration so that it does not include the Apache/nginx/etc version number in header.

           

          If you are not interested in seeing these logs, then you can modify the inspection policy to not log this. In general unless you have a specific need, I wouldn't recommend inspecting or logging the whole Traffic Identification category as it can produce a great number of extra logs. Rather the specific situations or subcategories that need to be inspected or logged should be enabled. Situations in the category are such that several of them may match to same packet (a HTTP client request for example might match HTTP_Client-Headers and HTTP_Request-GET and HTTP_Request-Version-1.1 and HTTP_CSH-Chrome-42.x-Browser-Usage and others). Huge number of extra logging may even impact performance.

           

          BR,

          Lauri