Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] Lotus Notes .exe script source download attempt

from [Joel Esler] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] Lotus Notes .exe script source download attempt
Date: Thu, 18 May 2006 15:28:56 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Drew,

Is it possible you could could provide a pcap of the traffic you are seeing?

Joel

On May 18, 2006, at 3:03 PM, Drew Burchett wrote:

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .exe script source download attempt"; flow:to_server,established; uricontent:".exe"; content:".exe"; content:"."; within:1; reference:bugtraq,6841; classtype:web- application-attack; sid:2067; rev:4;)



I noticed that this rule was being hit quite a bit on my network lately and decided to look a bit closer since I’m not running any Domino servers and I had a hard time believing I was getting probed that often for that particular vulnerability. Turns out that the rule is generating a false positive due to the way some new .Net generated ActiveX controls interact with Internet Explorer. When the ActiveX control is downloaded, IE requests the file iexplore.exe.config from the web server. This, of course, sets off the Lotus rule, which just looks for .exe in the uricontent and in the content.



My solution was to write a pass rule in local.rules to allow iexplore.exe.config, but I’d suggest as a permanent fix maybe adding uricontent:[!]”iexplore.exe.config” to the rule.



Drew Burchett

United Systems & Software

http://www.united-systems.com

Phone:  (270)527-3293

Fax:     (270)527-3132




--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


- --Joel
joel.esler@sourcefire.com
http://demo.sourcefire.com/jesler.pgp.key





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEbMr6KbCSyXHckt4RAkv/AJwLDklNCgWoZhGNRQrin4xiumnQOgCfRAwp
6IvV7CDjHvI8GI5LfI326EQ=
=qqI2
-----END PGP SIGNATURE-----


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Lotus Notes .exe script source download attempt, Drew Burchett
Next by Date:  RE: [Snort-sigs] Lotus Notes .exe script source download attempt, Drew Burchett
Previous by Thread:  [Snort-sigs] Lotus Notes .exe script source download attempt, Drew Burchett
Next by Thread:  RE: [Snort-sigs] Lotus Notes .exe script source download attempt, Drew Burchett
Indexes:  [Date] [Thread] [Top] [All Lists]