Snort mailing list archives
Re: Need help with Signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt
From: Irish Settingg <irishsetting () gmail com>
Date: Sat, 21 Mar 2015 01:44:25 +0530
Anyone who could help me on this... My environment is receiving a lot of such alerts... Should I be concerned on this. When logs were checked Normal 304 connections were observed. Changing the flow variable- would that be a good idea $EXTERNAL_NET $ HTTP_PORTS -> $HOME_NET any... Or should I think of changing the part - detection_filter:track by_dst, count 44, seconds 4 to a better number ... as my servers are easily handling the 304 responses... On 14 March 2015 at 21:41, Irish Settingg <irishsetting () gmail com> wrote:
The signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt seems to be triggering false alerts in our environment. Rule - alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt"; flow:to_client,established,only_stream; content:"HTTP/1.1 304 Not Modified"; fast_pattern:only; detection_filter:track by_dst, count 44, seconds 4; metadata:service http; reference:cve,2007-0947; reference:cve,2007-6239; reference:url, technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:misc-activity; sid:16008; rev:14; ) As per the rule the alert is getting triggered correctly. As per the references it is a vulnerability with IE6 and 7. but when it comes to the server, I think IE does not handle the HTTP request, it is HTTP.sys object in IIS that should handle the request and respond with the Status code. However as per the packet is concerned, 304 response messages are sent from the internal Server towards external Client machines. IE6 or 7 is ideally on the Client machine who handles the 304 response and updates the cache. So the 304 exploit should be aimed towards the Client machine. Hence this shows that the Rule should have been- $EXTERNAL_NET $ HTTP_PORTS -> $HOME_NET any Please suggest if you think there is any impact on Web servers when sending multiple 304 Not Modified responses. If there is any impact on a webserver while sending responses, reference - *reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027 <http://technet.microsoft.com/en-us/security/bulletin/ms07-027>* needs to be removed from the rule.
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Need help with Signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt Irish Settingg (Mar 14)
- Re: Need help with Signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt Irish Settingg (Mar 20)