[Logwatch-Devel] http filter

Paweł Gołaszewski blues@ds.pg.gda.pl
Sun, 7 Dec 2003 13:56:06 +0100 (CET)


On Sat, 6 Dec 2003, Michael Romeo wrote:
> Sorry to hear that.

Don't take it personally :)
It produces a lot of useless informations for me. Only that.

> Fortunately logwatch is configurable so you can stop it from running if
> it doesn't meet your needs.

sure, I know that. But I'm using it to have usefull infos :)

I can fix some thing to feet my needs, but I wan't first to ask what ideas 
you you have...

> I wrote it for myself and my site is low volume,

well.. on my small sites it is really nice. You're right...

> not to much interest in amateur built helicopters, and sent it to Kirk
> hoping that other people might find it useful. Yes, the first one should
> be fixed, probably an anonymous hash to count the responses by code.

It could be that...

> You can update $content_types in the initialization section to add the
> suffixes that are content and they will stop being reported as other,  I
> don't pretend that I covered all of the possible content that is served out
> there.

I was just wondering if you have left many common suffixes intentionally 
or by accident.

> There was a patch just after the release that stopped the dumping of the
> other requests using a config option ( check out the current CVS
> version).

Nothing like that is present in cvs. Pitty.

> Content type identification is a variable now and probably should be
> some type of config file/option in the future.

No, this should be only "rescue option", not base functionality...

> Those lines aren't JUST being reported as exploits because the response
> is less than 400.  Response 302 = found.

no, it's not found. Moved.

> I don't know what happens on your server when it returns a 302 but it
> implies that something happened other than an error.

>From RFC 1945:

       Status-Code    = "200"   ; OK
                      | "201"   ; Created
                      | "202"   ; Accepted
                      | "204"   ; No Content
                      | "301"   ; Moved Permanently
                      | "302"   ; Moved Temporarily
                      | "304"   ; Not Modified
                      | "400"   ; Bad Request
                      | "401"   ; Unauthorized
                      | "403"   ; Forbidden
                      | "404"   ; Not Found
                      | "500"   ; Internal Server Error
                      | "501"   ; Not Implemented
                      | "502"   ; Bad Gateway
                      | "503"   ; Service Unavailable
                      | extension-code

And from 2068:

          Status-Code    = "100"   ; Continue
                         | "101"   ; Switching Protocols
                         | "200"   ; OK
                         | "201"   ; Created
                         | "202"   ; Accepted
                         | "203"   ; Non-Authoritative Information
                         | "204"   ; No Content
                         | "205"   ; Reset Content
                         | "206"   ; Partial Content
                         | "300"   ; Multiple Choices
                         | "301"   ; Moved Permanently
                         | "302"   ; Moved Temporarily
                         | "303"   ; See Other
                         | "304"   ; Not Modified
                         | "305"   ; Use Proxy
                         | "400"   ; Bad Request
                         | "401"   ; Unauthorized
                         | "402"   ; Payment Required
                         | "403"   ; Forbidden
                         | "404"   ; Not Found
                         | "405"   ; Method Not Allowed
                         | "406"   ; Not Acceptable
                         | "407"   ; Proxy Authentication Required
                         | "408"   ; Request Time-out
                         | "409"   ; Conflict
                         | "410"   ; Gone
                         | "411"   ; Length Required
                         | "412"   ; Precondition Failed
                         | "413"   ; Request Entity Too Large
                         | "414"   ; Request-URI Too Large
                         | "415"   ; Unsupported Media Type
                         | "500"   ; Internal Server Error
                         | "501"   ; Not Implemented
                         | "502"   ; Bad Gateway
                         | "503"   ; Service Unavailable
                         | "504"   ; Gateway Time-out
                         | "505"   ; HTTP Version not supported
                         | extension-code

These are constant things. How to put it into logwatch?

> All that said, I won't have time to work on the script until after the
> holidays.

Sorry to hear that.

I'll try to fight with that...

-------------------------------------------------------------------------
> 
> I really don't like this filter... :(
> 
> Why to report in this form?:
>    GET /wpad.dat HTTP/1.0 with response code(s) 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200  200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200
> ..... and many, many more "200" (~1k lines...).
> There is no point of that. Something like that might be reported in 
> detail=high.
> Many entries are reported pointless - I've got ftp content on http and 
> there are many direct calls for files (mostly *.exe and *.zip, sometimes 
> *.doc).
> 
> 
> Next thing - this entries should be treathed as using of well known hacks:
> !!!! 13 possible successful probes 
>  
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir 
> HTTP Response 302 
> /d/winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /c/winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
> HTTP Response 302 
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /scripts/root.exe?/c+dir HTTP Response 302 
>  
> /MSADC/root.exe?/c+dir HTTP Response 302 
>  
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
> HTTP Response 302
> 

-- 
pozdr.  Paweł Gołaszewski 
---------------------------------
worth to see: http://www.againsttcpa.com/
CPU not found - software emulation...