[Logwatch-Devel] http filter

Michael Romeo michaelromeo@mromeo.com
Sun, 7 Dec 2003 09:39:10 -0800


Hi,

I didn't take it personally, I do understand that it doesn't meet your
needs in it's current form.

I didn't intentionally leave out anything, I just don't have the depth of
knowledge to cover all of the different content types.

Jeffery wrote the patch I was referring to, it is in the CVS.  It allows
you to set $ignore_error_hacks in the conf file.  If it is set then only
other records that are not known hacks with a response code less than 400
are listed.  It really doesnĄŻt address your needs until the content_types
is more robust, sorry.

I don't understand what you mean by "rescue option", why shouldn't the
script be configurable by site?  

I was using this definition from
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

10.3.3 302 Found 

The requested resource resides temporarily under a different URI. Since the
redirection might be altered on occasion, the client SHOULD continue to use
the Request-URI for future requests. This response is only cacheable if
indicated by a Cache-Control or Expires header field. 
The temporary URI SHOULD be given by the Location field in the response.
Unless the request method was HEAD, the entity of the response SHOULD
contain a short hypertext note with a hyperlink to the new URI(s). 
If the 302 status code is received in response to a request other than GET
or HEAD, the user agent MUST NOT automatically redirect the request unless
it can be confirmed by the user, since this might change the conditions
under which the request was issued. 

It does truly mean moved temporarily even if the official definition is
found, but I still read this as your server sending a response to the probe
that says look here for what you asked for and presumably it returned a
valid response when it received a request for the new URI.

Thanks,
Mike
---------------------------------------------
michaelromeo_at_mromeo_dotcom_


-----Original Message-----
From: Pawe©ű Go©űaszewski [mailto:blues@ds.pg.gda.pl] 
Sent: Sunday, December 07, 2003 4:56 AM
To: Michael Romeo
Cc: Logwatch Devel List
Subject: RE: [Logwatch-Devel] http filter


On Sat, 6 Dec 2003, Michael Romeo wrote:
> Sorry to hear that.

Don't take it personally :)
It produces a lot of useless informations for me. Only that.

> Fortunately logwatch is configurable so you can stop it from running if
> it doesn't meet your needs.

sure, I know that. But I'm using it to have usefull infos :)

I can fix some thing to feet my needs, but I wan't first to ask what ideas 
you you have...

> I wrote it for myself and my site is low volume,

well.. on my small sites it is really nice. You're right...

> not to much interest in amateur built helicopters, and sent it to Kirk
> hoping that other people might find it useful. Yes, the first one should
> be fixed, probably an anonymous hash to count the responses by code.

It could be that...

> You can update $content_types in the initialization section to add the
> suffixes that are content and they will stop being reported as other,  I
> don't pretend that I covered all of the possible content that is served
out
> there.

I was just wondering if you have left many common suffixes intentionally 
or by accident.

> There was a patch just after the release that stopped the dumping of the
> other requests using a config option ( check out the current CVS
> version).

Nothing like that is present in cvs. Pitty.

> Content type identification is a variable now and probably should be
> some type of config file/option in the future.

No, this should be only "rescue option", not base functionality...

> Those lines aren't JUST being reported as exploits because the response
> is less than 400.  Response 302 = found.

no, it's not found. Moved.

> I don't know what happens on your server when it returns a 302 but it
> implies that something happened other than an error.

>From RFC 1945:

       Status-Code    = "200"   ; OK
                      | "201"   ; Created
                      | "202"   ; Accepted
                      | "204"   ; No Content
                      | "301"   ; Moved Permanently
                      | "302"   ; Moved Temporarily
                      | "304"   ; Not Modified
                      | "400"   ; Bad Request
                      | "401"   ; Unauthorized
                      | "403"   ; Forbidden
                      | "404"   ; Not Found
                      | "500"   ; Internal Server Error
                      | "501"   ; Not Implemented
                      | "502"   ; Bad Gateway
                      | "503"   ; Service Unavailable
                      | extension-code

And from 2068:

          Status-Code    = "100"   ; Continue
                         | "101"   ; Switching Protocols
                         | "200"   ; OK
                         | "201"   ; Created
                         | "202"   ; Accepted
                         | "203"   ; Non-Authoritative Information
                         | "204"   ; No Content
                         | "205"   ; Reset Content
                         | "206"   ; Partial Content
                         | "300"   ; Multiple Choices
                         | "301"   ; Moved Permanently
                         | "302"   ; Moved Temporarily
                         | "303"   ; See Other
                         | "304"   ; Not Modified
                         | "305"   ; Use Proxy
                         | "400"   ; Bad Request
                         | "401"   ; Unauthorized
                         | "402"   ; Payment Required
                         | "403"   ; Forbidden
                         | "404"   ; Not Found
                         | "405"   ; Method Not Allowed
                         | "406"   ; Not Acceptable
                         | "407"   ; Proxy Authentication Required
                         | "408"   ; Request Time-out
                         | "409"   ; Conflict
                         | "410"   ; Gone
                         | "411"   ; Length Required
                         | "412"   ; Precondition Failed
                         | "413"   ; Request Entity Too Large
                         | "414"   ; Request-URI Too Large
                         | "415"   ; Unsupported Media Type
                         | "500"   ; Internal Server Error
                         | "501"   ; Not Implemented
                         | "502"   ; Bad Gateway
                         | "503"   ; Service Unavailable
                         | "504"   ; Gateway Time-out
                         | "505"   ; HTTP Version not supported
                         | extension-code

These are constant things. How to put it into logwatch?

> All that said, I won't have time to work on the script until after the
> holidays.

Sorry to hear that.

I'll try to fight with that...

-------------------------------------------------------------------------
> 
> I really don't like this filter... :(
> 
> Why to report in this form?:
>    GET /wpad.dat HTTP/1.0 with response code(s) 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200  200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 
> 200 200 200 200 200 200 200 200 200 200 200 200 200 200
> ..... and many, many more "200" (~1k lines...).
> There is no point of that. Something like that might be reported in 
> detail=high.
> Many entries are reported pointless - I've got ftp content on http and 
> there are many direct calls for files (mostly *.exe and *.zip, sometimes 
> *.doc).
> 
> 
> Next thing - this entries should be treathed as using of well known hacks:
> !!!! 13 possible successful probes 
>  
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir 
> HTTP Response 302 
> /d/winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /c/winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
> HTTP Response 302 
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /scripts/root.exe?/c+dir HTTP Response 302 
>  
> /MSADC/root.exe?/c+dir HTTP Response 302 
>  
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP Response 302 
>  
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
> HTTP Response 302
> 

-- 
pozdr.  Pawe?Gołaszewski 
---------------------------------
worth to see: http://www.againsttcpa.com/
CPU not found - software emulation...