RE: [Snort-sigs] Lotus Notes .exe script source download attempt

000 : 47 45 54 20 2F 69 65 78 70 6C 6F 72 65 2E 65 78   GET /iexplore.ex
010 : 65 2E 63 6F 6E 66 69 67 20 48 54 54 50 2F 31 2E   e.config HTTP/1.
020 : 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A   1..Accept: */*..
030 : 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A   Accept-Encoding:
040 : 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A    gzip, deflate..
050 : 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69   User-Agent: Mozi
060 : 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69   lla/4.0 (compati
070 : 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57   ble; MSIE 6.0; W
080 : 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 3B 20 53   indows NT 5.1; S
090 : 56 31 3B 20 2E 4E 45 54 20 43 4C 52 20 31 2E 31   V1; .NET CLR 1.1
0a0 : 2E 34 33 32 32 29 0D 0A 48 6F 73 74 3A 20 73 75   .4322)..Host: su
0b0 : 70 70 6F 72 74 2E 75 6E 69 74 65 64 2D 73 79 73   pport.united-sys
0c0 : 74 65 6D 73 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63   tems.com..Connec
0d0 : 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65   tion: Keep-Alive
0e0 : 0D 0A 0D 0A                                       ....

Drew Burchett
United Systems & Software
http://www.united-systems.com
Phone:  (270)527-3293
Fax:     (270)527-3132


> -----Original Message-----
> From: snort-sigs-admin@lists.sourceforge.net [mailto:snort-sigs-
> admin@lists.sourceforge.net] On Behalf Of Joel Esler
> Sent: Thursday, May 18, 2006 2:29 PM
> To: Drew Burchett
> Cc: snort-sigs@lists.sourceforge.net
> Subject: Re: [Snort-sigs] Lotus Notes .exe script source download
attempt
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Drew,
>
> Is it possible you could could provide a pcap of the traffic you are
> seeing?
>
> Joel
>
> On May 18, 2006, at 3:03 PM, Drew Burchett wrote:
>
> > web-misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
> > (msg:"WEB-MISC Lotus Notes .exe script source download attempt";
> > flow:to_server,established; uricontent:".exe"; content:".exe";
> > content:"."; within:1; reference:bugtraq,6841; classtype:web-
> > application-attack; sid:2067; rev:4;)
> >
> >
> >
> > I noticed that this rule was being hit quite a bit on my network
> > lately and decided to look a bit closer since I'm not running any
> > Domino servers and I had a hard time believing I was getting probed
> > that often for that particular vulnerability.  Turns out that the
> > rule is generating a false positive due to the way some new .Net
> > generated ActiveX controls interact with Internet Explorer.  When
> > the ActiveX control is downloaded, IE requests the file
> > iexplore.exe.config from the web server.  This, of course, sets off
> > the Lotus rule, which just looks for .exe in the uricontent and in
> > the content.
> >
> >
> >
> > My solution was to write a pass rule in local.rules to allow
> > iexplore.exe.config, but I'd suggest as a permanent fix maybe
> > adding uricontent:[!]"iexplore.exe.config" to the rule.
> >
> >
> >
> > Drew Burchett
> >
> > United Systems & Software
> >
> > http://www.united-systems.com
> >
> > Phone:  (270)527-3293
> >
> > Fax:     (270)527-3132
> >
> >
> >
> >
> > --
> > CONFIDENTIALITY NOTICE: This e-mail message, including any
> > attachments, is for the sole use of the intended recipient(s) and
> > may contain confidential and privileged information. Any
> > unauthorized review, use, disclosure or distribution is prohibited.
> > If you are not the intended recipient, please contact the sender by
> > reply e-mail and destroy all copies of the original message.
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
>
> - --Joel
> joel.esler@sourcefire.com
> http://demo.sourcefire.com/jesler.pgp.key
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFEbMr6KbCSyXHckt4RAkv/AJwLDklNCgWoZhGNRQrin4xiumnQOgCfRAwp
> 6IvV7CDjHvI8GI5LfI326EQ=
> =qqI2
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services,
security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
> http://sel.as-us.falkag.net/sel?cmd=k&kid0709&bid&3057&dat1642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs


--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for 
the sole use of the intended recipient(s) and may contain confidential and 
privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

-- 
This message has been scanned for viruses and dangerous content by MailScanner 
and is believed to be clean.



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs