[Snort-sigs] Lotus Notes .exe script source download attempt

Drew Burchett DrewB at ...3225...
Thu May 18 12:41:01 EDT 2006


000 : 47 45 54 20 2F 69 65 78 70 6C 6F 72 65 2E 65 78   GET /iexplore.ex
010 : 65 2E 63 6F 6E 66 69 67 20 48 54 54 50 2F 31 2E   e.config HTTP/1.
020 : 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A   1..Accept: */*..
030 : 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A   Accept-Encoding:
040 : 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A    gzip, deflate..
050 : 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69   User-Agent: Mozi
060 : 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69   lla/4.0 (compati
070 : 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57   ble; MSIE 6.0; W
080 : 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 3B 20 53   indows NT 5.1; S
090 : 56 31 3B 20 2E 4E 45 54 20 43 4C 52 20 31 2E 31   V1; .NET CLR 1.1
0a0 : 2E 34 33 32 32 29 0D 0A 48 6F 73 74 3A 20 73 75   .4322)..Host: su
0b0 : 70 70 6F 72 74 2E 75 6E 69 74 65 64 2D 73 79 73   pport.united-sys
0c0 : 74 65 6D 73 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63   tems.com..Connec
0d0 : 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65   tion: Keep-Alive
0e0 : 0D 0A 0D 0A                                       ....

Drew Burchett
United Systems & Software
http://www.united-systems.com
Phone:  (270)527-3293
Fax:     (270)527-3132


> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net [mailto:snort-sigs-
> admin at lists.sourceforge.net] On Behalf Of Joel Esler
> Sent: Thursday, May 18, 2006 2:29 PM
> To: Drew Burchett
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Lotus Notes .exe script source download
attempt
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Drew,
> 
> Is it possible you could could provide a pcap of the traffic you are
> seeing?
> 
> Joel
> 
> On May 18, 2006, at 3:03 PM, Drew Burchett wrote:
> 
> > web-misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
> > (msg:"WEB-MISC Lotus Notes .exe script source download attempt";
> > flow:to_server,established; uricontent:".exe"; content:".exe";
> > content:"."; within:1; reference:bugtraq,6841; classtype:web-
> > application-attack; sid:2067; rev:4;)
> >
> >
> >
> > I noticed that this rule was being hit quite a bit on my network
> > lately and decided to look a bit closer since I'm not running any
> > Domino servers and I had a hard time believing I was getting probed
> > that often for that particular vulnerability.  Turns out that the
> > rule is generating a false positive due to the way some new .Net
> > generated ActiveX controls interact with Internet Explorer.  When
> > the ActiveX control is downloaded, IE requests the file
> > iexplore.exe.config from the web server.  This, of course, sets off
> > the Lotus rule, which just looks for .exe in the uricontent and in
> > the content.
> >
> >
> >
> > My solution was to write a pass rule in local.rules to allow
> > iexplore.exe.config, but I'd suggest as a permanent fix maybe
> > adding uricontent:[!]"iexplore.exe.config" to the rule.
> >
> >
> >
> > Drew Burchett
> >
> > United Systems & Software
> >
> > http://www.united-systems.com
> >
> > Phone:  (270)527-3293
> >
> > Fax:     (270)527-3132
> >
> >
> >
> >
> > --
> > CONFIDENTIALITY NOTICE: This e-mail message, including any
> > attachments, is for the sole use of the intended recipient(s) and
> > may contain confidential and privileged information. Any
> > unauthorized review, use, disclosure or distribution is prohibited.
> > If you are not the intended recipient, please contact the sender by
> > reply e-mail and destroy all copies of the original message.
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> 
> - --Joel
> joel.esler at ...435...
> http://demo.sourcefire.com/jesler.pgp.key
> 
> 
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
> 
> iD8DBQFEbMr6KbCSyXHckt4RAkv/AJwLDklNCgWoZhGNRQrin4xiumnQOgCfRAwp
> 6IvV7CDjHvI8GI5LfI326EQ=
> =qqI2
> -----END PGP SIGNATURE-----
> 
> 
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services,
security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
> http://sel.as-us.falkag.net/sel?cmd=k&kid0709&bid&3057&dat1642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs


--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-- 
This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.





More information about the Snort-sigs mailing list