[Snort-sigs] Lotus Notes .exe script source download attempt
DrewB at ...3225...
Thu May 18 12:05:07 EDT 2006
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"WEB-MISC Lotus Notes .exe script source download attempt";
flow:to_server,established; uricontent:".exe"; content:".exe";
content:"."; within:1; reference:bugtraq,6841;
classtype:web-application-attack; sid:2067; rev:4;)
I noticed that this rule was being hit quite a bit on my network lately
and decided to look a bit closer since I'm not running any Domino
servers and I had a hard time believing I was getting probed that often
for that particular vulnerability. Turns out that the rule is
generating a false positive due to the way some new .Net generated
ActiveX controls interact with Internet Explorer. When the ActiveX
control is downloaded, IE requests the file iexplore.exe.config from the
web server. This, of course, sets off the Lotus rule, which just looks
for .exe in the uricontent and in the content.
My solution was to write a pass rule in local.rules to allow
iexplore.exe.config, but I'd suggest as a permanent fix maybe adding
uricontent:[!]"iexplore.exe.config" to the rule.
United Systems & Software
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs