Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 911

HTTP:BADBLUE:INVALID-GET-DOS
HTTP:BADBLUE:PROXY-RELAY
HTTP:BIGBROTHER:DIR-TRAVERSAL
HTTP:CGI:ALTAVISTA-TRAVERSAL
HTTP:CGI:ANYFORM-SEMICOLON
HTTP:CGI:APPLE-QT-FILEDISC1
HTTP:CGI:AXIS-ACCOUNT
HTTP:CGI:BNB-SURVEY-REMOTE-EXEC
HTTP:CGI:BUGZILLA-SEMICOLON
Copyright © 2010, Juniper Networks, Inc.
This signature detects denial-of-service attempts against
Working Resources BadBlue Web server. Attackers may send
a maliciously crafted HTTP GET request to the Web server
to disable the daemon and render it unusable until restarted.
This signature detects attempts to relay a web request
through a BadBlue web server. When BadBlue is using its
default configuration, attackers may use the web server as
a proxy server to attack internal targets or mask attack
activity.
This signature detects attempts to view files on the Web
server using the BigBrother bb-hist.sh history browser script.
Attackers may view any files on the Web server that are
accessible to the user the history browser script is running
under.
This signature detects attempts to exploit a vulnerability in
the AltaVista Search engine. The search engine sets up a
Web server at port 9000 that listens for search queries. The
search function accepts a single '../' string in the query,
providing access to the parent, or 'http' directory. This
directory typically contains administrative documents that
may include the password for the remote administration
utility, which is base-64 encoded. Attackers may send
multiple '../' strings in hex code (ie.'%2e%2e%2f') in a query
to access the remote administration utility password and
gain full remote administration abilities.
This signature detects attempts to exploit the AnyForm CGI
script, a popular CGI form designed to support simple forms
that deliver responses via e-mail. Some versions of AnyForm
did not perform user supplied data sanity checking, and may
allow remote execution of arbitrary commands on the server.
This signature detects attempts to exploit a vulnerability in
Apple QuickTimer Streaming Server. QuickTime Streaming
Server v4.1.1 and earlier versions are vulnerable. Attackers
may send a maliciously crafted URL to parse_xml.cgi to view
files that are not usually accessible through HTTP.
This signature detects a request to an Axis Video Server
containing parameters designed to create an Administrator
account on the server.
This signature detects attempts to access the BNBSurvey
survey.cgi program. Attackers may remotely execute
commands via shell metacharacters.
This signature detects shell access attempts to exploit the
process_bug.cgi script vulnerability in Bugzilla. Attackers
may send a semicolon as an argument to the script, followed
by arbitrary shell commands.
Appendix E: Log Entries
medium sos5.1.0
medium sos5.1.0,
sos5.0.0
medium sos5.0.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
high sos5.1.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
critical sos5.1.0
medium sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
861