Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 941

HTTP:EXPLOIT:BLAZIX-JSPVIEW
HTTP:EXPLOIT:BRUTE-FORCE
HTTP:EXPLOIT:BRUTE-SEARCH
HTTP:EXPLOIT:IE-ZONE-SPOOF
HTTP:EXPLOIT:ILLEGAL-HOST-CHAR
HTTP:EXPLOIT:REALPLAYER-SKIN
HTTP:EXPLOIT:SHOUTCAST-FMT-STR
HTTP:EXPLOIT:WIN-MAL-COMP-FILE
HTTP:EXT:GRP-EXT-HTTP
Copyright © 2010, Juniper Networks, Inc.
This signature detects attempts to exploit a vulnerability in
the Blazix, a Java-based Web server. Blazix 1.2 and earlier
versions are vulnerable. Because Blazix does not strip bad
characters (such as '+' and '') from URL requests, attackers
may send a malicious URL to the Web server to view the jsp
server side scripts.
This protocol anomaly is too many authentication failures
(Web pages that require authentication) within a short period
of time between a unique pair of hosts.
"This protocol anomaly is multiple 301 (Moved Permanently),
403 (Forbidden), 404 (Not Found) and 405 (Method Not
Allowed) errors between a unique pair of hosts within a short
period of time. This could indicate that a search robot or a
script is methodically searching a Web site for vulnerable
directories or CGI scripts. The default maximum number of
301/403/404/405 errors is 16.
This signature detects attempts to access potentially
malicious Web sites. When using Microsoft Internet Explorer,
a user can be tricked into visiting a malicious Web site that
they believe is benign. Additional IE vulnerabilities may allow
the malicious Web site to run scripts in the Local Computer
zone, which bypasses security checks on the user's machine.
In your logs for the event, the malicious Web site appears as
the destination IP address.
This signature detects illegal characters in a Host header
field of an HTTP/1.1 request. Attackers may send an HTTP
link, that, when selected by the user, generates an HTTP
request to a malicious Web site. In your logs, the destination
IP address for the event may be the malicious Web site;
however, some foreign Web sites may also trigger this
signature, creating a false positive. Per RFC, '_' is not a legal
character for a host name.
This signature detects malicious RealPlayer skin files.
This signature detects attempts to exploit a known
vulnerability in the Shoutcast streaming audio server.
Attackers may gain complete control of the target host.
This signature detects attempts to exploit a vulnerability in
Microsoft Windows native compressed file handler. Attackers
may send .zip files with overly long filenames to overflow
the file handler and run arbitrary code.
This signature detects GRP files sent over HTTP. GRP files
can contain Windows Program Group information, and may
be exploited by malicious users to deposit instructions or
arbitrary code on a target's system. User involvement is
required to activate GRP files; typically they are attached or
linked to a harmless-appearing e-mail message.
Appendix E: Log Entries
medium sos5.0.0,
sos5.1.0
high sos5.1.0
high sos5.0.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
high sos5.1.0
medium sos5.1.0
high sos5.1.0
medium sos5.1.0
891