[Snort-sigs] Lotus Notes .exe script source download attempt

Drew Burchett DrewB at ...3225...
Thu May 18 12:05:07 EDT 2006

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"WEB-MISC Lotus Notes .exe script source download attempt";
flow:to_server,established; uricontent:".exe"; content:".exe";
content:"."; within:1; reference:bugtraq,6841;
classtype:web-application-attack; sid:2067; rev:4;)


I noticed that this rule was being hit quite a bit on my network lately
and decided to look a bit closer since I'm not running any Domino
servers and I had a hard time believing I was getting probed that often
for that particular vulnerability.  Turns out that the rule is
generating a false positive due to the way some new .Net generated
ActiveX controls interact with Internet Explorer.  When the ActiveX
control is downloaded, IE requests the file iexplore.exe.config from the
web server.  This, of course, sets off the Lotus rule, which just looks
for .exe in the uricontent and in the content.


My solution was to write a pass rule in local.rules to allow
iexplore.exe.config, but I'd suggest as a permanent fix maybe adding
uricontent:[!]"iexplore.exe.config" to the rule.


Drew Burchett

United Systems & Software


Phone:  (270)527-3293

Fax:     (270)527-3132


CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060518/4418cf3a/attachment.html>

More information about the Snort-sigs mailing list