tag:blogger.com,1999:blog-37798047.post4707669136410003059..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Some IDS commentsDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-37798047.post-50982941289937866602012-02-08T11:30:50.183-05:002012-02-08T11:30:50.183-05:00Response code is an early sign that something wro...Response code is an early sign that something wrong is happening with the web app. They are very common in SQL Injection attempts when the attacker is trying different variations of attack string before finally finding the right one. Typically a WAF has a default rule to alert on suspicious response code, it can be correlated with other elements like a deviation from usual input type on an HTTP parameter.<br /><br />There is never a single source of information to point at all attacks, this one is just an additional layer just like everything else in the security technologies.Sylvainhttps://www.blogger.com/profile/04162985148539839211noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-85368709878941696772012-02-08T09:46:46.308-05:002012-02-08T09:46:46.308-05:00I'd love to hear you thoughts on why this help...I'd love to hear you thoughts on why this helps the analyst. The response code comes after the attack has happened and in the case of success can be made to be any code desired. In the case of failure it can't be trusted as such.<br /><br />It is much the same as relying on X-forwarded-for as an indicator of anything other than a proxy was potentially used.<br /><br />I understand the practical aspects and that necessary compromises are made for efficiency but the same effect of capturing and making available the response is possible by using the tag: keyword without breaking the analyst mindset.Anonymousnoreply@blogger.com