[Snort-sigs] Need help with Signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt

Irish Settingg irishsetting at ...2420...
Sat Mar 14 12:11:27 EDT 2015


The signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not
Modified responses exploit attempt seems to be triggering false alerts in
our environment.

Rule -
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS
Multiple Products excessive HTTP 304 Not Modified responses exploit
attempt"; flow:to_client,established,only_stream; content:"HTTP/1.1 304 Not
Modified"; fast_pattern:only; detection_filter:track by_dst, count 44,
seconds 4; metadata:service http; reference:cve,2007-0947;
reference:cve,2007-6239; reference:url,
technet.microsoft.com/en-us/security/bulletin/ms07-027;
classtype:misc-activity; sid:16008; rev:14; )
As per the rule the alert is getting triggered correctly.

As per the references it is a vulnerability with IE6 and 7. but when it
comes to the server, I think IE does not handle the HTTP request, it is
HTTP.sys object in IIS that should handle the request and respond with the
Status code.

However as per the packet is concerned, 304 response messages are sent from
the internal Server towards external Client machines. IE6 or 7 is ideally
on the Client machine who handles the 304 response and updates the cache.
So the 304 exploit should be aimed towards the Client machine. Hence this
shows that the Rule should have been-

$EXTERNAL_NET $ HTTP_PORTS -> $HOME_NET any

Please suggest if you think there is any impact on Web servers when sending
multiple 304 Not Modified responses. If there is any impact on a webserver
while sending responses, reference -
*reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027
<http://technet.microsoft.com/en-us/security/bulletin/ms07-027>* needs to
be removed from the rule.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150314/11de6e66/attachment.html>


More information about the Snort-sigs mailing list