Activity Processors: Error Processor

Errors and their contents play a big part in hacking a website. When a hacker obtains an error message, it provides useful information, the very least of which is that the attacker found a way to do something unintended in the web application and the server executed code to handle it. As such, when a user attempts to hack a website, they frequently induce and receive error messages. Often these error messages are very unusual and are not common when a normal user visits the site. For example, the error code 400 (Bad Request) is returned when the raw data in a request does not follow the HTTP standards. While it is possible to get a 400 error by typing invalid characters into the URL, the majority of these errors are caused by third party software (usually not a browser), improperly communicating with the server. A hacker might for example, manually construct a malicious request and forget to include the "Host" header. The goal of this processor is to record unusual and unexpected errors as incidents. This processor will also monitor all 404 errors and attempt to identify Common Directory Enumeration and User Directory Enumeration.

Table 23: Error Processor Configuration Parameters

Parameter

Type

Default Value

Description

Basic

Processor Enabled

Boolean

True

Whether traffic should be passed through this processor.

Legitimate Error Detection Enabled

Boolean

True

Whether to attempt to identify errors in the protected web applications so that they can be ignored.

Advanced

Error Cache Expiration

Integer

43200 (12 hours)

The number of seconds to cache an error condition so that subsequent matching error conditions from other users can be identified. The less traffic the site sees on a regular basis, the higher this value must be. The recommended default is for sites that see several thousand users a day or more.

Error Cache Size

Integer

50

The number of error conditions to cache for each level of specificity. If too many error conditions are encountered in a short period of time, this will prevent the tracking code from consuming too much memory. Errors at the full URL with query string specificity will cache this many conditions, at the URL only level it will cache twice this many, and at the filename level, it will cache 3 times as many as this value.

Filename Only Expiration

Integer

259200 (3 days)

The number of seconds that an error must not be encountered on a filename regardless of its location before an ignored error starts being recorded again.

Filename Only Threshold

Integer

70

The maximum number of unique users who can hit a specific filename, regardless of location, and get the same error before it stops being recorded as suspicious (zero = do not track based on filename).

URL With Query Expiration

Integer

259200 (3 days)

The number of seconds that an error must not be encountered on the full URL with query string before an ignored error starts being recorded again.

URL With Query Threshold

Integer

30

The maximum number of unique users who can hit a full URL including query string and get the same error before it stops being recorded as suspicious (zero = do not track based on full URL).

URL Without Query Expiration

Integer

259200 (3 days)

The number of seconds that an error must not be encountered on the URL excluding query string before an ignored error starts being recorded again.

URL Without Query Threshold

Integer

50

The maximum number of unique users who can hit a URL excluding query string and get the same error before it stops being recorded as suspicious (zero = do not track based on URL).

100 Continue

Configurable

HTTP Status Codes

Continue.

101 Switching Protocols

Configurable

HTTP Status Codes

Switching Protocols.

102 Processing

Configurable

HTTP Status Codes

Processing.

300 Multiple Choices

Configurable

HTTP Status Codes

Multiple Choices.

301 Moved Permanently

Configurable

HTTP Status Codes

Moved Permanently.

302 Found

Configurable

HTTP Status Codes

Found.

303 See Other

Configurable

HTTP Status Codes

See Other.

304 Not Modified

Configurable

HTTP Status Codes

Not Modified

305 Use Proxy

Configurable

HTTP Status Codes

Use Proxy.

306 Switch Proxy

Configurable

HTTP Status Codes

Switch Proxy.

307 Temporary Redirect

Configurable

HTTP Status Codes

Switch Proxy.

400 Bad Request

Configurable

HTTP Status Codes

Bad Request

401 Unauthorized

Configurable

HTTP Status Codes

Unauthorized.

402 Payment Required

Configurable

HTTP Status Codes

Payment Required.

403 Forbidden

Configurable

HTTP Status Codes

Forbidden

404 Not Found

Configurable

HTTP Status Codes

Not Found

405 Method Not Allowed

Configurable

HTTP Status Codes

Not allowed.

406 Not Acceptable

Configurable

HTTP Status Codes

Not acceptable.

407 Proxy Authentication Required

Configurable

HTTP Status Codes

Proxy Authentication Required

408 Request Timeout

Configurable

HTTP Status Codes

Request Timeout.

409 Conflict

Configurable

HTTP Status Codes

Conflict.

410 Gone

Configurable

HTTP Status Codes

Gone.

411 Length Required

Configurable

HTTP Status Codes

Length Required.

412 Precondition Failed

Configurable

HTTP Status Codes

Precondition Failed.

413 Request Entity Too Large

Configurable

HTTP Status Codes

Request Entity Too Large.

414 Request-URI Too Long

Configurable

HTTP Status Codes

Request-URI Too Long.

415 Unsupported Media Type

Configurable

HTTP Status Codes

Unsupported Media Type.

416 Requested Range Not Satisfiable

Configurable

HTTP Status Codes

Requested Range Not Satisfiable.

417 Expectation Failed

Configurable

HTTP Status Codes

Expectation Failed.

418 I'm a teapot

Configurable

HTTP Status Codes

418 I'm a teapot

422 Unprocessable Entity

Configurable

HTTP Status Codes

Unprocessable Entity.

423 Locked

Configurable

HTTP Status Codes

Locked.

424 Failed Dependency

Configurable

HTTP Status Codes

Failed Dependency.

425 Unordered Collection

Configurable

HTTP Status Codes

Unordered Collection

426 Upgrade Required

Configurable

HTTP Status Codes

Upgrade Required

449 Retry With

Configurable

HTTP Status Codes

Retry With

450 Blocked by Windows Parental Controls

Configurable

HTTP Status Codes

Blocked by Windows Parental Controls.

500 Internal Server Error

Configurable

HTTP Status Codes

Internal Server Error

501 Not Implemented

Configurable

HTTP Status Codes

Not Implemented

502 Bad Gateway

Configurable

HTTP Status Codes

Bad Gateway

503 Service Unavailable

Configurable

HTTP Status Codes

Service Unavailable

504 Gateway Timeout

Configurable

HTTP Status Codes

Gateway Timeout

505 HTTP Version Not Supported

Configurable

HTTP Status Codes

HTTP Version Not Supported

506 Variant Also Negotiates

Configurable

HTTP Status Codes

Variant Also Negotiates

507 Insufficient Storage

Configurable

HTTP Status Codes

Insufficient Storage

509 Bandwidth Limit Exceeded

Configurable

HTTP Status Codes

Bandwidth Limit Exceeded

510 Not Extended

Configurable

HTTP Status Codes

Not Extended

Incident: Illegal Response Status

Boolean

True

The user issued a request that resulted in an error status code that is considered suspicious and possibly malicious.

Incident: Suspicious Response Status

Boolean

True

The user issued a request that resulted in a known error status code generally involved in malicious behavior. On its own this is not enough to classify abuse, but patterns of this indicator can lead to higher level malicious incidents.

Incident: Unexpected Response Status

Boolean

True

The user issued a request that resulted in an unknown error status code and could represent a successful exploit.

Incident: Unknown Common Directory Requested

Boolean

True

The user has requested a directory that does not exist. The directory is in a list of common directory names, so it is likely that this request is in an attempt to find a directory that is not linked from the site.

Incident: Unknown User Directory Requested

Boolean

True

The user has requested a directory for a specific system user that does not exist. The username is in a list of common usernames, so it is likely that this request is in an attempt to identify a user account that is not linked from the site.