I've been receiving these vulnerability alerts, ID 40031, for some time now between two servers, (DMZ to inside), using port 80 (SOAP) and the severity level is high, but I have the action set to "alert" which is the default. I truly do not know what account is trying to use this vulnerability. In the details report it shows the "destination user" since I have user-id enable on the inside zone.
These are my questions:
1. Shoud I enable user-id on the DMZ zone so I can see the user account (if even possible) that is trying to access the internal server?
2. In the detailed report it shows the "destinaion user", what does this mean specifically?
Solved! Go to Solution.
The web server being attacked should be able to log the connections, for example IIS you can enable logging to see if a login was actually attempted. When you get an alert like this you really need to look at the logs on target machine and see what/where the login attempt was coming from.
1) Depends on what you really want to do this, although since it's an HTTP unauthorized message even enabling user-id on the DMZ zone you still likely won't get the account attempting to auth.
2) Destination user is simply the user last recorded on the destination IP.
If you don't have access to the internal machine or for some reason you can't log the request then you'll need to take a packet capture on the internal connection. If its a standard 80 connection the data shouldn't be encrypted.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!