[Snort-sigs] false positive: WEB-FRONTPAGE fourdots request

Nigel Houghton nigel at ...435...
Tue Oct 7 15:33:05 EDT 2003


Hugo,

It is the browser identification string "Mozilla/4.0 (compatible;  MSIE
4.0; Windows NT; ....../1.0 )" that appears causing the event to false.

This is something that can be modified by the client and I don't ever
remember seeing an id like that from a standard browser. I notice all the
requests are coming from the same place, have you seen this happen from
anywhere else?

Name:   tide158.microsoft.com
Address: 207.46.225.251

The references refer to a vulnerability in Microsoft FrontPage Personal
Webserver and Microsoft Personal Webserver. Since you are running Apache
it would probably be reasonable to turn the rule off if you continue to
get events from it.

Around 10:59pm Hugo van der Kooij said:

HvdK :
HvdK :Many false positives reprted on the rule "WEB-FRONTPAGE fourdots request".
HvdK :
HvdK :Report:
HvdK :
HvdK :Oct  7 22:43:08 gandalf snort: [1:966:5] WEB-FRONTPAGE fourdots request
HvdK :[Classification: Web Application Attack] [Priority: 1]: {TCP}
HvdK :207.46.225.251:27800 -> 192.168.1.2:80
HvdK :Oct  7 22:49:03 gandalf snort: [1:966:5] WEB-FRONTPAGE fourdots request
HvdK :[Classification: Web Application Attack] [Priority: 1]: {TCP}
HvdK :207.46.225.251:31359 -> 192.168.1.2:80
HvdK :Oct  7 22:51:14 gandalf snort: [1:966:5] WEB-FRONTPAGE fourdots request
HvdK :[Classification: Web Application Attack] [Priority: 1]: {TCP}
HvdK :207.46.225.251:33577 -> 192.168.1.2:8
HvdK :
HvdK :Actual log from webserver:
HvdK :
HvdK :207.46.225.251 - - [07/Oct/2003:22:43:08 +0200] "GET
HvdK :/software/mplayer-skin-plastic-1.1.1-2.noarch.html HTTP/1.0" 200 4252 "-"
HvdK :"Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
HvdK :207.46.225.251 - - [07/Oct/2003:22:49:03 +0200] "GET
HvdK :/software/mplayer-skin-Blue-1.0-2.noarch.html HTTP/1.0" 200 5509 "-"
HvdK :"Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
HvdK :207.46.225.251 - - [07/Oct/2003:22:51:14 +0200] "GET
HvdK :/software/mplayer-skin-CornerMP-1.0-2.noarch.html HTTP/1.0" 200 4368 "-"
HvdK :"Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
HvdK :
HvdK :Rule:
HvdK :
HvdK :alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
HvdK :(msg:"WEB-FRONTPAGE fourdots request"; flow:to_server,established;
HvdK :content: "|2e 2e 2e 2e 2f|"; nocase; reference:bugtraq,989;
HvdK :reference:cve,CAN-2000-0153; reference:arachnids,248;
HvdK :classtype:web-application-attack; sid:966;  rev:5;)
HvdK :
HvdK :I guess his rule could be improved. Perhaps someone smarter then me can
HvdK :take a shot at it?
HvdK :
HvdK :Hugo.
HvdK :
HvdK :

-------------------------------------------------------------
Nigel Houghton   Security Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

"Mankind hasn't even got the technology to create a toupee
that doesn't get big laughs." -- Lister




More information about the Snort-sigs mailing list