[Snort-sigs] Need help with Signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt
jlay at ...3266...
Fri Mar 20 16:27:14 EDT 2015
On Sat, 2015-03-21 at 01:44 +0530, Irish Settingg wrote:
> Anyone who could help me on this... My environment is receiving a lot
> of such alerts... Should I be concerned on this. When logs were
> checked Normal 304 connections were observed.
> Changing the flow variable- would that be a good idea $EXTERNAL_NET $
> HTTP_PORTS -> $HOME_NET any...
> Or should I think of changing the part - detection_filter:track
> by_dst, count 44, seconds 4 to a better number ... as my servers are
> easily handling the 304 responses...
> On 14 March 2015 at 21:41, Irish Settingg <irishsetting at ...2420...>
> The signature - OS-WINDOWS Multiple Products excessive HTTP
> 304 Not Modified responses exploit attempt seems to be
> triggering false alerts in our environment.
> Rule -
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
> (msg:"OS-WINDOWS Multiple Products excessive HTTP 304 Not
> Modified responses exploit attempt";
> flow:to_client,established,only_stream; content:"HTTP/1.1 304
> Not Modified"; fast_pattern:only; detection_filter:track
> by_dst, count 44, seconds 4; metadata:service http;
> reference:cve,2007-0947; reference:cve,2007-6239;
> reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:misc-activity; sid:16008; rev:14; )
> As per the rule the alert is getting triggered correctly.
> As per the references it is a vulnerability with IE6 and 7.
> but when it comes to the server, I think IE does not handle
> the HTTP request, it is HTTP.sys object in IIS that should
> handle the request and respond with the Status code.
> However as per the packet is concerned, 304 response messages
> are sent from the internal Server towards external Client
> machines. IE6 or 7 is ideally on the Client machine who
> handles the 304 response and updates the cache. So the 304
> exploit should be aimed towards the Client machine. Hence this
> shows that the Rule should have been-
> $EXTERNAL_NET $ HTTP_PORTS -> $HOME_NET any
> Please suggest if you think there is any impact on Web servers
> when sending multiple 304 Not Modified responses. If there is
> any impact on a webserver while sending responses, reference -
> reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027 needs to be removed from the rule.
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> Please visit http://blog.snort.org for the latest news about Snort!
Please provide a packet capture if possible.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs