[Snort-sigs] Need help with Signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt
irishsetting at ...2420...
Fri Mar 20 16:14:25 EDT 2015
Anyone who could help me on this... My environment is receiving a lot of
such alerts... Should I be concerned on this. When logs were checked Normal
304 connections were observed.
Changing the flow variable- would that be a good idea $EXTERNAL_NET $
HTTP_PORTS -> $HOME_NET any...
Or should I think of changing the part - detection_filter:track by_dst,
count 44, seconds 4 to a better number ... as my servers are easily
handling the 304 responses...
On 14 March 2015 at 21:41, Irish Settingg <irishsetting at ...2420...> wrote:
> The signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not
> Modified responses exploit attempt seems to be triggering false alerts in
> our environment.
> Rule -
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS
> Multiple Products excessive HTTP 304 Not Modified responses exploit
> attempt"; flow:to_client,established,only_stream; content:"HTTP/1.1 304 Not
> Modified"; fast_pattern:only; detection_filter:track by_dst, count 44,
> seconds 4; metadata:service http; reference:cve,2007-0947;
> reference:cve,2007-6239; reference:url,
> classtype:misc-activity; sid:16008; rev:14; )
> As per the rule the alert is getting triggered correctly.
> As per the references it is a vulnerability with IE6 and 7. but when it
> comes to the server, I think IE does not handle the HTTP request, it is
> HTTP.sys object in IIS that should handle the request and respond with the
> Status code.
> However as per the packet is concerned, 304 response messages are sent
> from the internal Server towards external Client machines. IE6 or 7 is
> ideally on the Client machine who handles the 304 response and updates the
> cache. So the 304 exploit should be aimed towards the Client machine. Hence
> this shows that the Rule should have been-
> $EXTERNAL_NET $ HTTP_PORTS -> $HOME_NET any
> Please suggest if you think there is any impact on Web servers when
> sending multiple 304 Not Modified responses. If there is any impact on a
> webserver while sending responses, reference - *reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027
> <http://technet.microsoft.com/en-us/security/bulletin/ms07-027>* needs to
> be removed from the rule.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs