Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Critical type event logs reports several iterations of attack object 'HTTP:APACHE:MODPHP-UPLOAD-HOF' detected while trying to upload changes to a HTTP server

0

0

Article ID: KB21526 KB Last Updated: 13 Oct 2011Version: 2.0
Summary:
DI attack object type 'Chain': outcome of using them results in critical event logs HTTP:APACHE:MODPHP-UPLOAD-HOF being detected from x.x.x.x/x to y.y.y.y/80 through policy <number> 1 times.

In the attack database on ScreenOS firewall, there is no signature pattern mentioned for the 'HTTP:APACHE:MODPHP-UPLOAD-HOF' attack object.


Symptoms:
Generally, for DI, there are different types of attack objects:
  1. Signature 
  2. Chain
  3. Anomaly 
HTTP:APACHE:MODPHP-UPLOAD-HOF  is a chain attack object.


Solution:
HTTP:APACHE:MODPHP-UPLOAD-HOF – is a Chain, which means it has multiple member signatures; that is why there is no direct signature pattern listed for this object in WebUI.

In CLI you see can see the members of this chain and their signature patterns:
ssg5-v92-wlan-> get attack HTTP:APACHE:MODPHP-UPLOAD-HOF
ID: 2103468, CHAIN ATTACK "HTTP:APACHE:MODPHP-UPLOAD-HOF" is pre-defined. It has 2 members.
Name: "HTTP:APACHE:MODPHP-UPLOAD-HOF_1", Type: signature
Pattern: ".*\.\[php\]"
Context: stream
Severity: critical, Flow: control, Direction: cts, Service: HTTP
Status: active, pre-defined

Name: "HTTP:APACHE:MODPHP-UPLOAD-HOF_2", Type: signature
Pattern: ".*Content-Disposition:\s*form-data;\s*\[name\]=.*"
Context: stream
Severity: critical, Flow: control, Direction: cts, Service: HTTP
Status: active, pre-defined

Meaning of above chain attack object:

Chain attack object combines multiple signatures and/or protocol anomalies into a single object. Traffic must match all of the combined signatures and/or protocol anomalies, to match the chain attack object.

The following critical event log message indicates that the chain attack object was matched multiple times, which means both patterns defined above are matched in the traffic.
HTTP:APACHE:MODPHP-UPLOAD-HOF has been detected from x.x.x.x/x to y.y.y.y/80 through policy <number> 1 times

If customers believe that this chain triggers false positives for legitimate traffic, they should ideally be able to simply remove this chain object from the policy, in which the attack group is used. Unfortunately, this chain object is,by design, linked to thepredefined attack group called 'CRITICAL:HTTP:SIGS”

We cannot modify predefined attack group or predefined attack chain.

ssg5-v92-wlan-> get attack group CRITICAL:HTTP:SIGS
GROUP "CRITICAL:HTTP:SIGS" is pre-defined. It has the following members
ID Name Type Defined
1056852 HTTP:CISCO:SCANNER-PROBE signature pre-defined
3147294 HTTP:IIS:ISAPI-IDQ-OVERFLOW signature pre-defined
1050535 HTTP:CGI:WEBPALS-EXEC signature pre-defined
1050546 HTTP:CGI:WEBSPEED-WSMADMIN signature pre-defined
1050108 HTTP:APACHE:NOSEJOB signature pre-defined
1050109 HTTP:APACHE:SCALP signature pre-defined
1054218 HTTP:MISC:NOOP-SLIDE-HEAD-OF signature pre-defined
1053734 HTTP:CHKP:AUTH-FMT-STR signature pre-defined
2098761 HTTP:IIS:WEBDAV:SEARCH-OF signature pre-defined
2098762 HTTP:IIS:WEBDAV:COMMAND-OF signature pre-defined
1053001 HTTP:OVERFLOW:ATP-HTTPD-OF signature pre-defined
2101477 HTTP:MISC:NOOP-SLIDE-REQ-OF signature pre-defined
4202451 HTTP:STC:IMG:WMF-METASPLOIT signature pre-defined
4202452 HTTP:STC:IMG:WMF-METASPLOIT-GZ signature pre-defined
1057745 HTTP:STC:IMG:MAL-EMF-2 signature pre-defined
1054342 HTTP:OVERFLOW:SAMBAR-SEARCH chain pre-defined
2098774 HTTP:IIS:NSIISLOG-OF chain pre-defined
2105322 HTTP:STC:IMG:WMF-METASPLOIT2 chain pre-defined
4196005 HTTP:OVERFLOW:NULLHTTPD-ROOT-OF chain pre-defined
2104295 HTTP:STC:MAL-MDB chain pre-defined
2103468 HTTP:APACHE:MODPHP-UPLOAD-HOF chain pre-defined - concerned attack chain
3150298 HTTP:FRONTPAGE:FP30REG.DLL-OF chain pre-defined

You cannot remove this chain from the predefined attack group. When you use attack group 'CRITICAL:HTTP:SIGS' in policy, the above chain comes with it.

The Solution to this issue, is to disable the attack object by using the following command:
set attack disable HTTP:APACHE:MODPHP-UPLOAD-HOF



Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search