Rule:

--
Sid:
1201

--
Summary:
This event is generated when a 403 error response code is returned to a
client by a webserver.

--
Impact:
Information gathering.

--
Detailed Information:
This event is generated when a 403 error response code is returned to a
client by a webserver. This may indicate an attempt to gain unauthorized
access to a web server or an application running on a web server.

The 400 series error messages are used to indicate an error on the part
of the browser client making the request to a web server. The 403
response indicates a request for a forbidden resource that cannot be
accessed even with authentication credentials.

Many events may indicate a determined attempt to exploit a vulnerability
on the victim server.

Some applications do not perform stringent checks when validating the
credentials of a client host connecting to the services offered on a
host server. This can lead to unauthorized access and possibly escalated
privileges to that of the administrator. Data stored on the machine can
be compromised and trust relationships between the victim server and
other hosts can be exploited by the attacker.

--
Affected Systems:
	All web server platforms

--
Attack Scenarios:
An attacker can access the authentication mechanism and supply his/her
own credentials to gain access. Alternatively the attacker can exploit
weaknesses to gain access as the administrator.

--
Ease of Attack:
Simple. Exploits for  many vulnerabilities exist although no exploit
code may be required.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Disallow administrative access from sources external to the protected
network.

Ensure the system is using an up to date version of the software and has
had all vendor supplied patches applied.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--