Snort mailing list archives
Need help with Signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt
From: Irish Settingg <irishsetting () gmail com>
Date: Sat, 14 Mar 2015 21:41:27 +0530
The signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt seems to be triggering false alerts in our environment. Rule - alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt"; flow:to_client,established,only_stream; content:"HTTP/1.1 304 Not Modified"; fast_pattern:only; detection_filter:track by_dst, count 44, seconds 4; metadata:service http; reference:cve,2007-0947; reference:cve,2007-6239; reference:url, technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:misc-activity; sid:16008; rev:14; ) As per the rule the alert is getting triggered correctly. As per the references it is a vulnerability with IE6 and 7. but when it comes to the server, I think IE does not handle the HTTP request, it is HTTP.sys object in IIS that should handle the request and respond with the Status code. However as per the packet is concerned, 304 response messages are sent from the internal Server towards external Client machines. IE6 or 7 is ideally on the Client machine who handles the 304 response and updates the cache. So the 304 exploit should be aimed towards the Client machine. Hence this shows that the Rule should have been- $EXTERNAL_NET $ HTTP_PORTS -> $HOME_NET any Please suggest if you think there is any impact on Web servers when sending multiple 304 Not Modified responses. If there is any impact on a webserver while sending responses, reference - *reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027 <http://technet.microsoft.com/en-us/security/bulletin/ms07-027>* needs to be removed from the rule.
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Need help with Signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt Irish Settingg (Mar 14)