OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: I-gear 3.5.x for Microsoft Proxy logging vulnerability + temporary fix.
From: Dmitry Andrievsky (dimaQPS.ORG)
Date: Wed Oct 25 2000 - 16:54:53 CDT


Hello everyone,
 this message is generated after several hours with Symantec Tech support
and my personal research of the issue. The issue is confirmed to be a
problem by Symantec® .

Platform: I-gear 3.5.6 (and 3.5.7-x) for MSP Proxy 2.0 ; Windows NT 4.0 SP6;
MSP 2.0 SP1; PowerEdge 2300 dual 450; 512 RAM.

Issue:
"Unidentified (web pages that do not comply to a certain standard)" web page
hits access generates an invalid entry in I-gear log files. Usually the
entry is over 255 char (ballpark number for a valid url log entry). After
entry is made you can no longer generate report about your users activity or
reports are not complete.

Vulnerability: Users can generate invalid log entries causing inability to
view access reports.

Solution:
Symantec is working on a new release of software that will solve the
problem(according to Tech Support). Meanwhile I had to come with my own fix.
I repeat – this fix worked for my environment – AND I’M NOT RESPONSIBLE FOR
ANY DAMAGE/DATA LOSS THIS SOLUTION MIGHT CAUSE YOU. This is not a 100% fix,
and you can not run it on you current log file (since it is being used by
I-gear).

1. download Linux utility rewritten for windows called grep ( I used Tim
Charron’s (http://www.interlog.com/~tcharron/grep.html)
2. make this batch file (fixlog.cmd):

grep -v -E .{300,} %1 > templog
move /y templog %1

3. run batch file (fixlog urlog20001009)
4. This will remove any log entries larger then 300 char.
5. Generate reports you have been missing so much.

------------------------------------
Dmitry Andrievsky <dimaqps.org>
Networks & Systems Administrator
Quincy Public Schools, District #172