Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Activity Processors: Error Processor

    Errors and their contents play a big part in hacking a website. When a hacker obtains an error message, it provides useful information, the very least of which is that the attacker found a way to do something unintended in the web application and the server executed code to handle it. As such, when a user attempts to hack a website, they frequently induce and receive error messages. Often these error messages are very unusual and are not common when a normal user visits the site. For example, the error code 400 (Bad Request) is returned when the raw data in a request does not follow the HTTP standards. While it is possible to get a 400 error by typing invalid characters into the URL, the majority of these errors are caused by third party software (usually not a browser), improperly communicating with the server. A hacker might for example, manually construct a malicious request and forget to include the "Host" header. The goal of this processor is to record unusual and unexpected errors as incidents. This processor will also monitor all 404 errors and attempt to identify Common Directory Enumeration and User Directory Enumeration.

    Table 1: Error Processor Configuration Parameters

    Parameter

    Type

    Default Value

    Description

    Basic

    Processor Enabled

    Boolean

    True

    Whether traffic should be passed through this processor.

    Legitimate Error Detection Enabled

    Boolean

    True

    Whether to attempt to identify errors in the protected web applications so that they can be ignored.

    Advanced

    Error Cache Expiration

    Integer

    43200 (12 hours)

    The number of seconds to cache an error condition so that subsequent matching error conditions from other users can be identified. The less traffic the site sees on a regular basis, the higher this value must be. The recommended default is for sites that see several thousand users a day or more.

    Error Cache Size

    Integer

    50

    The number of error conditions to cache for each level of specificity. If too many error conditions are encountered in a short period of time, this will prevent the tracking code from consuming too much memory. Errors at the full URL with query string specificity will cache this many conditions, at the URL only level it will cache twice this many, and at the filename level, it will cache 3 times as many as this value.

    Filename Only Expiration

    Integer

    259200 (3 days)

    The number of seconds that an error must not be encountered on a filename regardless of its location before an ignored error starts being recorded again.

    Filename Only Threshold

    Integer

    70

    The maximum number of unique users who can hit a specific filename, regardless of location, and get the same error before it stops being recorded as suspicious (zero = do not track based on filename).

    URL With Query Expiration

    Integer

    259200 (3 days)

    The number of seconds that an error must not be encountered on the full URL with query string before an ignored error starts being recorded again.

    URL With Query Threshold

    Integer

    30

    The maximum number of unique users who can hit a full URL including query string and get the same error before it stops being recorded as suspicious (zero = do not track based on full URL).

    URL Without Query Expiration

    Integer

    259200 (3 days)

    The number of seconds that an error must not be encountered on the URL excluding query string before an ignored error starts being recorded again.

    URL Without Query Threshold

    Integer

    50

    The maximum number of unique users who can hit a URL excluding query string and get the same error before it stops being recorded as suspicious (zero = do not track based on URL).

    100 Continue

    Configurable

    HTTP Status Codes

    Continue.

    101 Switching Protocols

    Configurable

    HTTP Status Codes

    Switching Protocols.

    102 Processing

    Configurable

    HTTP Status Codes

    Processing.

    300 Multiple Choices

    Configurable

    HTTP Status Codes

    Multiple Choices.

    301 Moved Permanently

    Configurable

    HTTP Status Codes

    Moved Permanently.

    302 Found

    Configurable

    HTTP Status Codes

    Found.

    303 See Other

    Configurable

    HTTP Status Codes

    See Other.

    304 Not Modified

    Configurable

    HTTP Status Codes

    Not Modified

    305 Use Proxy

    Configurable

    HTTP Status Codes

    Use Proxy.

    306 Switch Proxy

    Configurable

    HTTP Status Codes

    Switch Proxy.

    307 Temporary Redirect

    Configurable

    HTTP Status Codes

    Switch Proxy.

    400 Bad Request

    Configurable

    HTTP Status Codes

    Bad Request

    401 Unauthorized

    Configurable

    HTTP Status Codes

    Unauthorized.

    402 Payment Required

    Configurable

    HTTP Status Codes

    Payment Required.

    403 Forbidden

    Configurable

    HTTP Status Codes

    Forbidden

    404 Not Found

    Configurable

    HTTP Status Codes

    Not Found

    405 Method Not Allowed

    Configurable

    HTTP Status Codes

    Not allowed.

    406 Not Acceptable

    Configurable

    HTTP Status Codes

    Not acceptable.

    407 Proxy Authentication Required

    Configurable

    HTTP Status Codes

    Proxy Authentication Required

    408 Request Timeout

    Configurable

    HTTP Status Codes

    Request Timeout.

    409 Conflict

    Configurable

    HTTP Status Codes

    Conflict.

    410 Gone

    Configurable

    HTTP Status Codes

    Gone.

    411 Length Required

    Configurable

    HTTP Status Codes

    Length Required.

    412 Precondition Failed

    Configurable

    HTTP Status Codes

    Precondition Failed.

    413 Request Entity Too Large

    Configurable

    HTTP Status Codes

    Request Entity Too Large.

    414 Request-URI Too Long

    Configurable

    HTTP Status Codes

    Request-URI Too Long.

    415 Unsupported Media Type

    Configurable

    HTTP Status Codes

    Unsupported Media Type.

    416 Requested Range Not Satisfiable

    Configurable

    HTTP Status Codes

    Requested Range Not Satisfiable.

    417 Expectation Failed

    Configurable

    HTTP Status Codes

    Expectation Failed.

    418 I'm a teapot

    Configurable

    HTTP Status Codes

    418 I'm a teapot

    422 Unprocessable Entity

    Configurable

    HTTP Status Codes

    Unprocessable Entity.

    423 Locked

    Configurable

    HTTP Status Codes

    Locked.

    424 Failed Dependency

    Configurable

    HTTP Status Codes

    Failed Dependency.

    425 Unordered Collection

    Configurable

    HTTP Status Codes

    Unordered Collection

    426 Upgrade Required

    Configurable

    HTTP Status Codes

    Upgrade Required

    449 Retry With

    Configurable

    HTTP Status Codes

    Retry With

    450 Blocked by Windows Parental Controls

    Configurable

    HTTP Status Codes

    Blocked by Windows Parental Controls.

    500 Internal Server Error

    Configurable

    HTTP Status Codes

    Internal Server Error

    501 Not Implemented

    Configurable

    HTTP Status Codes

    Not Implemented

    502 Bad Gateway

    Configurable

    HTTP Status Codes

    Bad Gateway

    503 Service Unavailable

    Configurable

    HTTP Status Codes

    Service Unavailable

    504 Gateway Timeout

    Configurable

    HTTP Status Codes

    Gateway Timeout

    505 HTTP Version Not Supported

    Configurable

    HTTP Status Codes

    HTTP Version Not Supported

    506 Variant Also Negotiates

    Configurable

    HTTP Status Codes

    Variant Also Negotiates

    507 Insufficient Storage

    Configurable

    HTTP Status Codes

    Insufficient Storage

    509 Bandwidth Limit Exceeded

    Configurable

    HTTP Status Codes

    Bandwidth Limit Exceeded

    510 Not Extended

    Configurable

    HTTP Status Codes

    Not Extended

    Incident: Illegal Response Status

    Boolean

    True

    The user issued a request that resulted in an error status code that is considered suspicious and possibly malicious.

    Incident: Suspicious Response Status

    Boolean

    True

    The user issued a request that resulted in a known error status code generally involved in malicious behavior. On its own this is not enough to classify abuse, but patterns of this indicator can lead to higher level malicious incidents.

    Incident: Unexpected Response Status

    Boolean

    True

    The user issued a request that resulted in an unknown error status code and could represent a successful exploit.

    Incident: Unknown Common Directory Requested

    Boolean

    True

    The user has requested a directory that does not exist. The directory is in a list of common directory names, so it is likely that this request is in an attempt to find a directory that is not linked from the site.

    Incident: Unknown User Directory Requested

    Boolean

    True

    The user has requested a directory for a specific system user that does not exist. The username is in a list of common usernames, so it is likely that this request is in an attempt to identify a user account that is not linked from the site.

    Published: 2014-06-27