[Snort-sigs] Lotus Notes .exe script source download attempt

Joel Esler joel.esler at ...435...
Thu May 18 12:30:01 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Drew,

Is it possible you could could provide a pcap of the traffic you are  
seeing?

Joel

On May 18, 2006, at 3:03 PM, Drew Burchett wrote:

> web-misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS  
> (msg:"WEB-MISC Lotus Notes .exe script source download attempt";  
> flow:to_server,established; uricontent:".exe"; content:".exe";  
> content:"."; within:1; reference:bugtraq,6841; classtype:web- 
> application-attack; sid:2067; rev:4;)
>
>
>
> I noticed that this rule was being hit quite a bit on my network  
> lately and decided to look a bit closer since I’m not running any  
> Domino servers and I had a hard time believing I was getting probed  
> that often for that particular vulnerability.  Turns out that the  
> rule is generating a false positive due to the way some new .Net  
> generated ActiveX controls interact with Internet Explorer.  When  
> the ActiveX control is downloaded, IE requests the file  
> iexplore.exe.config from the web server.  This, of course, sets off  
> the Lotus rule, which just looks for .exe in the uricontent and in  
> the content.
>
>
>
> My solution was to write a pass rule in local.rules to allow  
> iexplore.exe.config, but I’d suggest as a permanent fix maybe  
> adding uricontent:[!]”iexplore.exe.config” to the rule.
>
>
>
> Drew Burchett
>
> United Systems & Software
>
> http://www.united-systems.com
>
> Phone:  (270)527-3293
>
> Fax:     (270)527-3132
>
>
>
>
> --
> CONFIDENTIALITY NOTICE: This e-mail message, including any  
> attachments, is for the sole use of the intended recipient(s) and  
> may contain confidential and privileged information. Any  
> unauthorized review, use, disclosure or distribution is prohibited.  
> If you are not the intended recipient, please contact the sender by  
> reply e-mail and destroy all copies of the original message.
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.

- --Joel
joel.esler at ...435...
http://demo.sourcefire.com/jesler.pgp.key





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEbMr6KbCSyXHckt4RAkv/AJwLDklNCgWoZhGNRQrin4xiumnQOgCfRAwp
6IvV7CDjHvI8GI5LfI326EQ=
=qqI2
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list