Re: Need help with Signature - OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt

[James Lay <jlay () slave-tothe-box net>]

On Sat, 2015-03-21 at 01:44 +0530, Irish Settingg wrote:
> Anyone who could help me on this... My environment is receiving a lot
> of such alerts... Should I be concerned on this. When logs were
> checked Normal 304 connections were observed.
>
>
>
> Changing the flow variable- would that be a good idea $EXTERNAL_NET $
> HTTP_PORTS -> $HOME_NET any... 
>
>
>
> Or should I think of changing the part - detection_filter:track
> by_dst, count 44, seconds 4 to a better number ... as my servers are
> easily handling the 304 responses...
>
>
>
> On 14 March 2015 at 21:41, Irish Settingg <irishsetting () gmail com>
> wrote:
>
>         The signature - OS-WINDOWS Multiple Products excessive HTTP
>         304 Not Modified responses exploit attempt seems to be
>         triggering false alerts in our environment.
>         
>         
>         
>         Rule -  
>         
>         alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
>         (msg:"OS-WINDOWS Multiple Products excessive HTTP 304 Not
>         Modified responses exploit attempt";
>         flow:to_client,established,only_stream; content:"HTTP/1.1 304
>         Not Modified"; fast_pattern:only; detection_filter:track
>         by_dst, count 44, seconds 4; metadata:service http;
>         reference:cve,2007-0947; reference:cve,2007-6239;
>         reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:misc-activity; sid:16008; 
> rev:14; )
>         As per the rule the alert is getting triggered correctly. 
>         
>         
>         As per the references it is a vulnerability with IE6 and 7.
>         but when it comes to the server, I think IE does not handle
>         the HTTP request, it is HTTP.sys object in IIS that should
>         handle the request and respond with the Status code.
>         
>         However as per the packet is concerned, 304 response messages
>         are sent from the internal Server towards external Client
>         machines. IE6 or 7 is ideally on the Client machine who
>         handles the 304 response and updates the cache. So the 304
>         exploit should be aimed towards the Client machine. Hence this
>         shows that the Rule should have been- 
>         
>         $EXTERNAL_NET $ HTTP_PORTS -> $HOME_NET any
>         
>         
>         Please suggest if you think there is any impact on Web servers
>         when sending multiple 304 Not Modified responses. If there is
>         any impact on a webserver while sending responses, reference -
>         reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027 needs to be removed from the rule.
>         
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!


Please provide a packet capture if possible.

James

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!