web-misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"WEB-MISC Lotus Notes .exe script source download attempt";
flow:to_server,established; uricontent:".exe"; content:".exe";
content:"."; within:1; reference:bugtraq,6841;
classtype:web-application-attack; sid:2067; rev:4;)
I noticed that this rule was being hit quite a bit on my network lately
and decided to look a bit closer since I'm not running any Domino
servers and I had a hard time believing I was getting probed that often
for that particular vulnerability. Turns out that the rule is
generating a false positive due to the way some new .Net generated
ActiveX controls interact with Internet Explorer. When the ActiveX
control is downloaded, IE requests the file iexplore.exe.config from the
web server. This, of course, sets off the Lotus rule, which just looks
for .exe in the uricontent and in the content.
My solution was to write a pass rule in local.rules to allow
iexplore.exe.config, but I'd suggest as a permanent fix maybe adding
uricontent:[!]"iexplore.exe.config" to the rule.
Drew Burchett
United Systems & Software
http://www.united-systems.com
Phone: (270)527-3293
Fax: (270)527-3132
--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for
the sole use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
--
This message has been scanned for viruses and dangerous content by MailScanner
and is believed to be clean.
