[Snort-sigs] Need help with Signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt

Irish Settingg irishsetting at ...2420...
Fri Mar 20 16:14:25 EDT 2015


Anyone who could help me on this... My environment is receiving a lot of
such alerts... Should I be concerned on this. When logs were checked Normal
304 connections were observed.

Changing the flow variable- would that be a good idea $EXTERNAL_NET $
HTTP_PORTS -> $HOME_NET any...

Or should I think of changing the part - detection_filter:track by_dst,
count 44, seconds 4 to a better number ... as my servers are easily
handling the 304 responses...

On 14 March 2015 at 21:41, Irish Settingg <irishsetting at ...2420...> wrote:

> The signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not
> Modified responses exploit attempt seems to be triggering false alerts in
> our environment.
>
> Rule -
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS
> Multiple Products excessive HTTP 304 Not Modified responses exploit
> attempt"; flow:to_client,established,only_stream; content:"HTTP/1.1 304 Not
> Modified"; fast_pattern:only; detection_filter:track by_dst, count 44,
> seconds 4; metadata:service http; reference:cve,2007-0947;
> reference:cve,2007-6239; reference:url,
> technet.microsoft.com/en-us/security/bulletin/ms07-027;
> classtype:misc-activity; sid:16008; rev:14; )
> As per the rule the alert is getting triggered correctly.
>
> As per the references it is a vulnerability with IE6 and 7. but when it
> comes to the server, I think IE does not handle the HTTP request, it is
> HTTP.sys object in IIS that should handle the request and respond with the
> Status code.
>
> However as per the packet is concerned, 304 response messages are sent
> from the internal Server towards external Client machines. IE6 or 7 is
> ideally on the Client machine who handles the 304 response and updates the
> cache. So the 304 exploit should be aimed towards the Client machine. Hence
> this shows that the Rule should have been-
>
> $EXTERNAL_NET $ HTTP_PORTS -> $HOME_NET any
>
> Please suggest if you think there is any impact on Web servers when
> sending multiple 304 Not Modified responses. If there is any impact on a
> webserver while sending responses, reference - *reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027
> <http://technet.microsoft.com/en-us/security/bulletin/ms07-027>* needs to
> be removed from the rule.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150321/e45b5336/attachment.html>


More information about the Snort-sigs mailing list