Scan 31

Write-Up By: Ryan C. Barnett

This month's challenge is to analyze web server log files looking for signs of abuse. The Honeypots: Monitoring and Forensics Project deployed an Apache web server that was configured as an Open Proxy. Your job is to analyze the log files and identify/classify the different attacks (trust me, there are a surprising number of them :). All entries are due Friday, 30 April. Results will be released Friday, 7 May. Find the rules and suggestions for submissions at the SotM Home Page.

Skill Level: Intermediate

The Challenge:
Open Proxy servers are a big problem on the Internet. Not only can an improperly secured proxy server expose your internal network to attack (yes, you heard me right, attackers can leverage unsecured proxy servers to identify/connect to internal systems Lamo's Adventures in WorldCom), but also these systems are used to obscure the true origin of web-based attacks. In order to gather data on these types of attack channels, the Honeypots: Monitoring and Forensics Project deployed a specially configured Apache web server, designed specifically for use as a honeypot open proxy server or ProxyPot. Please review the honeynet whitepaper entitled Open Proxy Honeypot for in depth details of the configurations. This paper will provide important background information to aid in your analysis of the SoTM data. As a reference we provide the following key to data:

a. Honeynet Web Server Proxy IP sanitized to: 192.168.1.103
b. Honeynet Web Server Proxy Hostname sanitized to: www.testproxy.net

Download the Image (25 MB)
c36d39dfd5665a58d7cea06438ceb96d apache_logs.tar..gz

Initial Steps

1. Download the apache_logs.tar.gz file onto my Redhat Linux host

2. Checked the MD5 has of the file to verify successful file integrity

# md5sum apache_logs.tar.gz

c36d39dfd5665a58d7cea06438ceb96d apache_logs.tar..gz

3. Gunzip and untar the archive

# gunzip apache_logs.tar.gz ; tar –xvf apache_logs.tar

logs/access_log

logs/audit_log

logs/error_log

logs/modsec_debug_log

logs/ssl-access_log

logs/ssl-error_log

logs/ssl_engine_log

logs/ssl_mutex.19660

logs/ssl_mutex.953

logs/ssl_request_log

logs/upload/

logs/upload/20040311-184310-68.0.178.69-GoodMrorning.htm

logs/upload/20040313-121627-24.165.131.110-Goo5dMorning.htm

logs/upload/20040313-132411-67.81.34.7-GoodMorkning.htm

logs/upload/20040313-145020-66.17.107.246-GoodMo0rning.htm

logs/upload/20040313-162733-68.198.16.66-GoocdMorning.htm

logs/upload/20040313-170722-24.136.227.15-GoodMoorning.htm

logs/upload/20040313-174514-68.41.205.235-GoodMornding.htm

4. CD into the logs directory and get a directory listing so that I would have an idea of the log file sizes I would be dealing with

# cd logs ; ls –l

total 294764

-rw-r--r-- 1 root root 43017422 Mar 15 12:15 access_log

-rw-r--r-- 1 root root 175754692 Mar 15 15:57 audit_log

-rw-r--r-- 1 root root 80243127 Mar 15 16:01 error_log

-rw-r--r-- 1 root root 231293 Mar 13 11:05 ssl-access_log

-rw-r--r-- 1 root root 1234677 Mar 14 11:08 ssl_engine_log

-rw-r--r-- 1 root root 789751 Mar 13 11:05 ssl-error_log

-rw------- 1 nobody root 0 Mar 11 19:46 ssl_mutex.19660

-rw------- 1 nobody root 0 Mar 13 23:18 ssl_mutex.953

-rw-r--r-- 1 root root 222041 Mar 13 11:05 ssl_request_log

drwxr-xr-x 2 root root 4096 Mar 16 16:14 upload

Questions

1. How do you think the attackers found the honeyproxy?

Answer: Most likely, the “real” people who were using the honeyproxy (as a proxy) and not a direct attack by worms and such, found the honeyproxy by using a list from an Open Proxy List Website.

Details: Keep in mind that, as with any honeypot/net deployment, there is some trial and error involved (but hey, that is why we are doing this – to learn). When I first deployed the honeyproxy with the configuration outlined in the Open Proxy Honeypot paper above, I monitored it for a few days. There wasn’t too much traffic except that of our familiar old friends CodeRed, NIMDA, etc… With a small set in data to analyze, I was able to update the configurations with some advancements. One of the configuration changes was to implement an additional HTTP response header to warn the users of monitoring (Warning: Subject To Monitoring). In order to verify these headers and check the proxy anonymity, I decided to use some of the proxy checking applications on some web sites - http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=proxy+check. What is interesting is that while almost all of these sites offer tools so a security conscience client can check their own proxy to verify that it is secured correctly, they will always add an open proxy that is finds to a public list. Here is a perfect example:

· Proxy Checking Tool – http://www.checker.freeproxy.ru/checker/

· Open Proxy List at the same website - http://www.checker.freeproxy.ru/checker/last_checked_proxies.php

It didn’t take long for the honeyproxy’s IP to propagate to other proxy lists and all of a sudden the traffic spiked significantly. It was at this point that I knew I was ready to officially deploy the honeyproxy for the SoTM Challenge. The official start time was Tue Mar 9 22:02:41 2004 (according to the first line in the error_log). If you compare this to the first log entry in the access_log file (09/Mar/2004:22:03:09 –0500) you will see that the first client request came only 28 seconds after the honeyproxy started up. Without the background information outlined above, it would seem odd to receive actual proxy requests this fast.

2. What different types of attacks can you identify? For each category, provide just one log example and detail as much info about the attack as possible (such as CERT/CVE/Anti-Virus id numbers). How many can you find?

Answer: One of the main benefits of honeypots/nets is that your logging should only capture malicious activity, reducing the amount of data to analyze. While this is the case, comparatively speaking to normal production NIDS deployments, this does not necessarily mean that the data sets will be “small”. The honeyproxy gathered ~ 295 MB of data in the log files. This is not a small amount of data if you are manually reviewing the logs. Anytime you have a large data set, you must develop an method to parse/analyze the logs looking for signs of attack/abuse/malicious intent. So, before we can answer “What” attacks are present in the various Open Proxy Honeypot logs, we need to figure out “How” we are going to identify these attacks. Even though, technically, all of the log data captured by the proxypot is suspect by nature, our methods should still be applicable to normal web server log file analysis. Below are the different ways in which I identified and quantified the various attacks:

Search Logs For Mod_Security-Message: When Mod_Security identifies a problem with a request due to a security violation, it will do two things – 1) Add in some additional client request headers stating why mod_security is taking action, and 2) Log this data to the audit_log and error_log files. These error messages can be triggered by Mod_Security special checks such as the SecFilterCheckURLEncoding directive, basic filters such as “\.\.” to prevent directory traversals and advanced filters based on converted snort rules.

Search Logic: Show me all of the audit_log entries that have the mod_security-message header, then sort the results, then only show me unique entries with a total count of each type in reverse order from highest to lowest, then remove the mod_security-message data at the beginning of each line and list the results with the less command.

Search Command: The command string below will accomplish the search logic from above.

51746 Pattern match "Basic" at HEADER.

6138 Pattern match "passwd\=" at THE_REQUEST.

5852 Pattern match "/search" at THE_REQUEST.

5368 Pattern match "passwd=" at THE_REQUEST.

4826 Pattern match "\.asp" at THE_REQUEST.

3694 Pattern match "login.icq.com" at THE_REQUEST.

1971 mod_security-message: Invalid character detected

1935 Pattern match "/smartsearch\.cgi" at THE_REQUEST.

1887 Pattern match "cmd\.exe" at THE_REQUEST.

1387 Pattern match "/sh" at THE_REQUEST.

816 Pattern match "\.\." at THE_REQUEST.

343 Pattern match "password\=" at POST_PAYLOAD.

301 Pattern match "/root\.exe" at THE_REQUEST.

296 Pattern match "81.171.1.165" at REMOTE_ADDR.

276 Pattern match "/ikonboard\.cgi" at THE_REQUEST.

242 Pattern match "200" at THE_REQUEST.

224 Pattern match "/index\.html" at THE_REQUEST.

192 Pattern match "<[[:space:]]*script" at THE_REQUEST.

186 Pattern match "/etc/passwd" at THE_REQUEST.

169 Pattern match "/index\.php" at THE_REQUEST.

137 Pattern match "/login" at THE_REQUEST.

135 Pattern match "/exec/" at THE_REQUEST.

124 Pattern match "/perl/" at THE_REQUEST.

81 Pattern match "\?&" at THE_REQUEST.

69 Pattern match "passwd\=" at POST_PAYLOAD.

68 Pattern match "/c/" at THE_REQUEST.

63 Pattern match "TRACE" at THE_REQUEST.

63 Pattern match "passwd=" at POST_PAYLOAD.

63 Pattern match "/banners/" at THE_REQUEST.

--CUT--

By looking at the bolded entries listed above, it appears that there are a large number Brute Force Attempts (Basic Authentication Headers and Password Credentials submitted in the URL field and POST_PAYLOAD).

Utilization of the AllowCONNECT Proxying Capabilities: Our set-up of the proxypot allowed proxying to a wide variety of ports/protocols that are targeted by attackers. These include ports 25 (SMTP) and 6667/6666 (IRC). Since these connection attempts will not trigger Mod_Security, we can not use the same search technique above to gather statistics. We will need to filter our search on HTTP requests that use these specific port numbers.

Search Logic: Search the access_log file for all CONNECT requests, filter the output to only display the URL portion, only show unique entries and then sort in reverse order from highest to lowest and display with less.

Search Command: The command string below accomplishes the search logic from above.

# egrep "CONNECT .*:.* HTTP" access_log | awk '{print $6, $7, $8}' | sort | uniq -c | sort -rn |less

10928 "CONNECT login.icq.com:443 HTTP/1.0"

474 "CONNECT 200.221.11.50:25 HTTP/1.0"

422 "CONNECT mx.freenet.de:25 HTTP/1.0"

340 "CONNECT mx.pchome.com.tw:25 HTTP/1.0"

303 "CONNECT 207.153.203.64:25 HTTP/1.0"

246 "CONNECT 200.154.55.2:25 HTTP/1.0"

237 "CONNECT mx0.gmx.net:25 HTTP/1.0"

199 "CONNECT irc.data.lt:6667 HTTP/1.0"

176 "CONNECT 200.210.55.201:25 HTTP/1.0"

155 "CONNECT 203.176.60.240:25 HTTP/1.0"

134 "CONNECT lobosuelto.arnet.com.ar:25 /

127 "CONNECT 200.142.77.19:25 HTTP/1.0"

120 "CONNECT 195.54.159.109:6667 HTTP/1.0"

119 "CONNECT smtp.taiwan.com:25 HTTP/1.0"

118 "CONNECT www.bzwbk.pl:443 HTTP/1.1"

118 "CONNECT wacek.one.pl:2019 HTTP/1.1"

114 "CONNECT wumt.westernunion.com:443 HTTP/1.0"

112 "CONNECT www.ip-relay.com:443 HTTP/1.1"

106 "CONNECT irc.quakenet.org:6667 HTTP/1.0"

99 "CONNECT 200.201.133.83:25 HTTP/1.0"

97 "CONNECT 192.168.1.103:80 HTTP/1.1"

96 "CONNECT 148.235.52.50:25 HTTP/1.0"

92 "CONNECT mx.apol.com.tw:25 HTTP/1.0"

87 "CONNECT mx.seed.net.tw:25 HTTP/1.0"

82 "CONNECT www.helllabs.com.ua:80 HTTP/1.0"

81 "CONNECT mx1.giga.net.tw:25 HTTP/1.0"

71 "CONNECT maila.microsoft.com:25 HTTP/1.0"

67 "CONNECT 208.218.130.51:25 HTTP/1.0"

66 "CONNECT mx1.yam.com:25 HTTP/1.0"

--CUT--

The bolded entries listed above show clients using the CONNECT method to have our proxypot connect to other systems on port 25 (SMTP). This is a sure sign of SPAMMERS.

Search Logs For Abnormal HTTP Status Codes: The Mod_Security default action settings were to generate a “200” status code for identified attacks. This action was to “trick” malicious proxypot users into thinking that their attack were successful. This means that this means that we cannot solely rely on status codes of “200 OK” to indicate that everything is normal. With this in mind, we can still analyze any status codes that were not “200 OK” and assess the results.

Search Logic: Search the audit_log file for all of the HTTP Response Codes returned by our proxypot, then remove all HTTP version info, next only show unique entries in reverse order.

Search Command: The command strings below accomplishes the search logic from above.

# egrep "^HTTP/" audit_log | sed "s/HTTP\/[01].[019] //g" | sort | uniq

508 unused

503 Service Unavailable

503 Service Temporarily Unavailable

503 Server Error

502 Proxy Error

502 Gateway Error

502 Bad Gateway

501 OK

501 Not Implemented

501 Method Not Implemented

500 Server Error

500 Proxy Error

500 Internal Server Error

416 Requested Range Not Satisfiable

414 Request-URI Too Large

411 Length Required

410 Gone

408 Request Timeout

406 Not Acceptable

405 Method Not Allowed

404 Object Not Found

404 Not Found

404 Not found

404 File Not Found

404 Condition Intercepted

404

403 Forbidden

403 Access Forbidden

401 Unauthorized

401 Unauthorised

401 Authorization Required

401 Access Denied

400 Bad Request

304 Not Modified

303 See Other

302 Temporary Relocation

302 Temporarily Moved

302 Redirecting

302 Redirected Request

302 Redirected

302 Redirect

302 R

302 OK

302 ok

302 Object Moved

302 Object moved

302 Moved Temporarily

302 MOVED

302 Moved

302 Found

302 Document Moved

302

301 Moved Perminantly

301 Moved Permanently

301 Moved

301 Error

206 Partial Content

206 Partial content

204 No Content

200 Proxy test OK

200 Okay

200 OK 2001

200 OK

200 Ok

200 ok

200 Document follows

200 Content-type: text/html

200 Apple

200

(null)

HTTP/3.14 200 OK

Generally speaking, any HTTP Status Code in the 4XX-5XX ranges should be investigated (bolded above). Additionally, there are a few status codes that are abnormal – (null) which is caused by CONNECT Method requests and others which hare mis-spelled – “Moved Perminantly”.

HTTP Request Methods: Many web-based attacks will use standard request methods such as GET, HEAD and POST. There are many attacks, however, that use other request methods such as TRACE, SEARCH and DELETE. By analyzing these request methods, it may be possible to identify different attacks.

Search Logic: Search the access_log file for all entries, then only display the HTTP Request Method portions, next only show unique entries and then sort in reverse order from highest to lowest.

Search Command: The command strings below accomplishes the search logic from above.

# cat access_log | awk '{print $6}' | sort | uniq -c | sort -rn |less

120036 "GET

37543 "HEAD

27529 "CONNECT

16550 "POST

257 "\x04\x01"

170 "\x05\x01"

68 "OPTIONS

20 "\x05\x02"

15 "SEARCH

13 "

12 "PUT

7 ""

6 "TRACE

6 "GET"

5 "PROPFIND

4 "get

3 "\x04\x01#(\xd5$d\xc6"

3 "\x04\x01\x1a\vR\x92,j\rquit

3 "some

3 "Secure

3 "QUIT"

3 "NESSUS

3 "GET\t/\tHTTP/1.0"

3 "GET/HTTP/1.0"

3 "DELETE

3 "COPY

2 "\x04\x01\x1a\v\xd5\x83\x83\x9b\rquit

2 "a"

1 "\x04\x01\x1a\v\xc2m\x81\xdc"

1 "\x04\x01\x1a"

1 "\x04\x01\x13\xba\xd8\x9b\xc1\x80"

1 "\x04\x01\x04\x1f\xd5\xceH\x95"

1 "\x04\x01+g\xc2m\x99\x02"

1 "67.28.114.33:25"

These HTTP Request Methods indicate that a few things: 1) That of the normal methods (GET, HEAD and POST) there were a large number of HEAD requests indicating Brute Force attempts, and 2) There are a large number of non-valid request methods. Each of these abnormal request methods should be investigated.

Non-HTTP Compliant Requests: HTTP Requests that are compliant with the protocol should have the following composition – <Request Method> <Universal Resource Identifier> <Protocol Version> <Linefeed/Return>. Example: Get /index.html HTTP/1.0. When attackers are probing and exploiting vulnerable servers/applications, they often send requests that deviate from the proper HTTP Request format to accomplish the exploit or nudge the app into revealing desired information such as error text, etc…

Search Logic: Search the audit_log file for all “Error:” entries, then do not display entries that are not HTTP RFC applicable, next sort and only show unique entries with less.

Search Command: The command strings below accomplishes the search logic from above.

Error: client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

Error: client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /top.html

Error: client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /uoi{%&a

mp;<qqfn`1yn}bqlw|^?wim+nmr&hskyuwk&wo|}.nvux)^MXhRqVlTuXIDT][FX_Z-}]MFX_IDT]MF

WO{bqN|y7Kab;Mnz^?CmSfE}eNP^?2p^?&BjSUDTEyy^?HIDT]P^1G.+Nn|ACjIDT]M0uecVPsM~^?\oDTE%20

eB{JRPs$yC_.Sr*~DAS(cfMkzv$^?zPozCBjcF;*fQ6^gEOE%eCGhSfclzG(eFOQ$e^?KgdPJ-_Or)R~tay^?KcE]*

k[BH!]KR%TOLoa\w~CO!)UfE}CDL!RB^kDAGn\AJ%20Tu]*^KV&Tf\bb~

Error: Client sent malformed Host header

Error: Invalid method in request 67.28.114.33:25

Error: Invalid method in request a

Error: Invalid method in request get / http/1.0

Error: Invalid method in request GET/HTTP/1.0

Error: Invalid method in request NESSUS / HTTP/1.0

Error: Invalid method in request QUIT

Error: Invalid method in request SEARCH /G3uWK53a HTTP/1.1

Error: Invalid method in request SEARCH / HTTP/1.1

Error: Invalid method in request SEARCH /zjY520hy HTTP/1.1

Error: Invalid method in request SEARCH /zrg6Ndgf HTTP/1.1

Error: Invalid URI in request ^D^A^Z^KÂm<81>Ü

Error: Invalid URI in request CONNECT HTTP/1.0

Error: Invalid URI in request GET %20.box//../../../../../lotus/domino/notes.ini HTTP/1.1

Error: Invalid URI in request GET %20.box/../../../../../lotus/domino/notes.ini HTTP/1.1

--CUT—

Error: Reason: You're speaking plain HTTP to an SSL-enabled server port.<BR>

Error: request failed: error reading the headers

Error: request failed: URI too long

Error: Request header field is missing colon separator.<P>

Error: The request line contained invalid characters following the protocol string.<P>

The bolded entries above have identified problems when clients do not adhere to the RFC standard. All of these entries should be reviewed to determine what caused these error messages.

Armed with these different analysis categories, I analyzed the log files with standard *nix text utilities such as grep, awk and sed searching for specific signs of abuse.

2.1 Attack Category- SPAMMERS: The large majority of users of the proxypot were SPAMMERS trying to send their email through our server to hide their true location and make it hard to track down the emails origin.

Number of Log Entries: 23562

Search Logic: Search the audit_log file for all requests for well-known CGI email programs and CONNECT requests to a host on port 25.

Example Entry: In the audit_log entry below, the client is attempting to send email through our proxy onto the www.centrum.is host and send an email through the FormMail.pl CGI script. Luckily, Mod_Security intercepted this request due to URL Encoding problems in the body of the email, and thus it was never forwarded on to the destination host.

========================================

Request: 67.83.151.132 - - [Wed Mar 10 02:59:14 2004] "POST http://www.centrum.is/cgi-bin/

FormMail.pl HTTP/1.1" 200 578

Handler: proxy-server

Error: mod_security: Invalid character detected [13]

----------------------------------------

POST http://www.centrum.is/cgi-bin/FormMail.pl HTTP/1.1

Accept: */*

Connection: Close

Content-Length: 412

Content-Type: application/x-www-form-urlencoded

Host: www.centrum.is

Proxy-Connection: Close

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)

mod_security-action: 200

email=franceq5@tipnet.com&realname=franceq5@tipnet.com&recipient=<addhominem@aol.com>www.c

entrum.is%2C&subject=11%3A58%3A07%20PM%20Please%20read!%20%20%3D)+++++++++++++2a&1m=%0D%0A

%0D%0A%0A%0A%0A%0A%0A%0D%0Anob%0D%0A%0D%0Aaddhominem%20Visit%20http%3A%2F%2Fconnect.to%2Ff

riendscams%20and%20view%20these%20girls%20for%20FREE!%0D%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0D%

0A11%3A58%3A07%20PM%0D%0A3%2F9%2F2004%0A%0A%0A%0A0pf

HTTP/1.1 200 OK

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=iso-8859-1

========================================

When email is sent through a web server CGI script like this, the SMTP MIME headers will not include any data prior to leaving this host. This means that normal SMTP trace-back techniques will not lead to the 67.83.151.132 host unless web logs are correlated.

CVE Info: http://www.securityfocus.com/bid/3955/info/ or http://icat.nist.gov/icat.cfm?cvename=CAN-2001-0357

2.2 Attack Category- Brute Force Authentication Attacks: There were a very large number of attacks against password protected content. There were three different type of authentication being targeted by attackers, GET (with Username/Password in the URL field), POST (with user credentials in the post payload) and HEAD (with Basic Authentication Header added). We will discuss Brute Force Attacks later in question 5.

2.3 Attack Category- Vulnerability Scans: There were two different vulnerability scans identified in the log files. One was conducted using the Nessus (http://www.nessus.org) tool and another using Void (http://www.packetstormsecurity.org/UNIX/cgi-scanners/exp.dat).

Nessus Scan Number of Log Entries: 10296

Search Logic: Search the access_log file for all entries with the word Nessus in them and show with the less command.

Search Command: grep Nessus access_log | less

Example Entry: The example entries below show that a Nessus vulnerability scan was conducted against our proxypot on March 12^th at 10:30 pm. You can easily identify this as a Nessus scan due to the User-Agent field data.

217.160.165.173 - - [12/Mar/2004:22:30:20 -0500] "GET / HTTP/1.1" 200 4320 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"

217.160.165.173 - - [12/Mar/2004:22:30:20 -0500] "GET /cfanywhere/index.html HTTP/1.1" 404 301 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"

217.160.165.173 - - [12/Mar/2004:22:30:20 -0500] "GET /docs/servlets/index.html HTTP/1.1" 404 304 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"

217.160.165.173 - - [12/Mar/2004:22:30:20 -0500] "GET /jsp/index.html HTTP/1.1" 404 294 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"

217.160.165.173 - - [12/Mar/2004:22:30:21 -0500] "GET /webl/index.html HTTP/1.1" 404 295 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"

217.160.165.173 - - [12/Mar/2004:22:30:21 -0500] "GET /./WEB-INF/ HTTP/1.1" 404 288 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"

--CUT--

Some interesting info on this scan:

· The client IP address of the scan is from a website called – http://port-scan.de. Interestingly, this site will allow you to run port scans, vulnerability scans, etc… against a site and it will email you the results. Supposedly, you can only run it against your own IP address, however the client IP address can be easily spoofed in the data sent to the http://www.port-scan.de/cgi-bin/portscan.cgi script.

· Even though we were leveraging the Snort web-attack files, Nessus has such as large number of attacks that it checks for that we would have missed a bunch of these requests since we did not have a signature in the snortmodsec-rules.txt file. You can see which requests we missed when the proxypot issues a “404” status code. If we had a corresponding signature, the proxypot would have issued a “200”.

· I decided to take the same approach that we have done with converting the Snort rules into mod_security rules with the nessus web entries. I extracted all of the entries for the Nessus vulnerability scan, used awk and sed to get the URL Request info and format it appropriately and then used the snort2modsec.pl script to create new nessus/mod_security filters. Below are some example of the converted rules:

SecFilterSelective THE_REQUEST "/changepw\.exe"

SecFilterSelective THE_REQUEST "/chassis/config/GeneralChassisConfig\.html"

SecFilterSelective THE_REQUEST "/chat/data/usr"

SecFilterSelective THE_REQUEST "/chat_dir/register\.php\?register=yes&username=nessus10723

34298&email=<script>x=10;</script>&email1=<script>x=10;</script>"