I am a newcomer to the network security arena, so please forgive me for my dumb questions.
I have a client using a FortiGate 110C. They have an Apache server hosting a bunch of websites.
In view of the recent Apache.HTTP.Server.ByteRange.Filter.DoS (CVE-2011-3192), I created an IPS sensor that enabled all signatures that are " high" and " critical" and set the default action to " block all" .
However, after enabling this IPS sensor, there were a lot of alerts:
Message meets Alert condition
The following intrusion was observed: .
date=2011-11-17 time=03:16:53 devname=AAA device_id=FG100C3G09613578 log_id=0419016384 type=ips
subtype=signature pri=alert severity=high carrier_ep=" N/A" profilegroup=" N/A" profiletype=" N/A"
profile=" N/A" src=192.168.1.174 dst=115.240.74.237 src_int=" port1" dst_int=" wan1" policyid=4
identidx=0 serial=192870033 status=dropped proto=6 service=58925/tcp vd=" root" count=1 src_port=80
dst_port=58925 attack_id=11969 sensor=" IPS" ref=" http://www.fortinet.com/ids/VID11969" user=" N/A"
group=" N/A" incident_serialno=1692252265 msg=" misc: MS.PNG.Buffer.Overflow"
The source IP is the private IP of the server, so it appears that the web server is serving a faulty png file to client.
Questions:
1.) Is there a way to learn from the firewall log or whatever to pinpoint the png file that was in question so that we can replace it?
2.) Since the web server hosts several websites, is it possible to learn from the firewall log or whatever the URL that the client is accessing (attacking)? I enabled packet logging , but I cannot figure out any useful information from the packet.
3.) I used Nessus to scan the firewall, and it showed a " High Severity problem(s) found" alert with plugin ID 55976 which is " Apache HTTP Server Byte Range DoS" . Is this a false alarm? Is it just that it detected an old version of Apache only? Or is FortiGate vulnerable to the attack? (I have enabled all " high" and " critical" signature and set the default action to " block all" )
Best Regards,
Paul