[Snort-sigs] Need help with Signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt

James Lay jlay at ...3266...
Fri Mar 20 16:27:14 EDT 2015


On Sat, 2015-03-21 at 01:44 +0530, Irish Settingg wrote:
> Anyone who could help me on this... My environment is receiving a lot
> of such alerts... Should I be concerned on this. When logs were
> checked Normal 304 connections were observed.
> 
> 
> 
> Changing the flow variable- would that be a good idea $EXTERNAL_NET $
> HTTP_PORTS -> $HOME_NET any... 
> 
> 
> 
> Or should I think of changing the part - detection_filter:track
> by_dst, count 44, seconds 4 to a better number ... as my servers are
> easily handling the 304 responses...
> 
> 
> 
> On 14 March 2015 at 21:41, Irish Settingg <irishsetting at ...2420...>
> wrote:
> 
>         The signature - OS-WINDOWS Multiple Products excessive HTTP
>         304 Not Modified responses exploit attempt seems to be
>         triggering false alerts in our environment.
>         
>         
>         
>         Rule -  
>         
>         alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
>         (msg:"OS-WINDOWS Multiple Products excessive HTTP 304 Not
>         Modified responses exploit attempt";
>         flow:to_client,established,only_stream; content:"HTTP/1.1 304
>         Not Modified"; fast_pattern:only; detection_filter:track
>         by_dst, count 44, seconds 4; metadata:service http;
>         reference:cve,2007-0947; reference:cve,2007-6239;
>         reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:misc-activity; sid:16008; rev:14; )
>         As per the rule the alert is getting triggered correctly. 
>         
>         
>         As per the references it is a vulnerability with IE6 and 7.
>         but when it comes to the server, I think IE does not handle
>         the HTTP request, it is HTTP.sys object in IIS that should
>         handle the request and respond with the Status code.
>         
>         However as per the packet is concerned, 304 response messages
>         are sent from the internal Server towards external Client
>         machines. IE6 or 7 is ideally on the Client machine who
>         handles the 304 response and updates the cache. So the 304
>         exploit should be aimed towards the Client machine. Hence this
>         shows that the Rule should have been- 
>         
>         $EXTERNAL_NET $ HTTP_PORTS -> $HOME_NET any
>         
>         
>         Please suggest if you think there is any impact on Web servers
>         when sending multiple 304 Not Modified responses. If there is
>         any impact on a webserver while sending responses, reference -
>         reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027 needs to be removed from the rule.
>         
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!


Please provide a packet capture if possible.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150320/3fa469ce/attachment.html>


More information about the Snort-sigs mailing list