This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[2066] A WEB-MISC Lotus Notes .pl script source...

I have many Intrusion Protection Events - SID  2066  (WEB-MISC Lotus Notes .pl script source download attempt) from my LAN to PROXY and I think that probably they are false. How can I check this?

Intrusion Protection System:
2004:05:22-13:31:38 (none) snort[982]: [1:2066:0] A WEB-MISC Lotus Notes .pl script source download attempt [Classification: Web Application Attack] [Priority: 1]:  {PROTO006} 192.168.0.xxx:1111 -> 192.168.0.A:8080
2004:05:22-13:31:38 (none) snort[982]: [1:2066:0] A WEB-MISC Lotus Notes .pl script source download attempt [Classification: Web Application Attack] [Priority: 1]:  {PROTO006} 192.168.0.xxx:1105 -> 192.168.0.A:8080
2004:05:22-13:31:38 (none) snort[982]: [1:2066:0] A WEB-MISC Lotus Notes .pl script source download attempt [Classification: Web Application Attack] [Priority: 1]:  {PROTO006} 192.168.0.xxx:1106 -> 192.168.0.A:8080

HTTP accessed sites:
2004:05:22-13:31:38 (none) squid_access[1298]: 1085225498.220 886 192.168.0.xxx TCP_MISS/302 531 GET http://www.onet.pl/443 - DIRECT/213.180.130.200 text/html
2004:05:22-13:31:38 (none) squid_access[1298]: 1085225498.562 28 192.168.0.xxx TCP_IMS_HIT/304 223 GET http://info.onet.pl/_g/ad/z.gif - NONE/- image/gif
2004:05:22-13:31:38 (none) squid_access[1298]: 1085225498.664 442 192.168.0.xxx TCP_MISS/200 33006 GET http://info.onet.pl/924362,11,item.html - DIRECT/213.180.130.202 text/html
2004:05:22-13:31:38 (none) squid_access[1298]: 1085225498.850 270 192.168.0.xxx TCP_MISS/200 165 GET http://ad.pl.doubleclick.net/adj/N2974.onet.cr.starlink/B1363797;abr=!ie;sz=750x100;ord=6183575114786897000? - DIRECT/194.237.107.154 application/x-javascript
2004:05:22-13:31:38 (none) squid_access[1298]: 1085225498.886 307 192.168.0.xxx TCP_MISS/200 3241 GET http://ad.pl.doubleclick.net/adi/N2974.onet.cr.starlink/B1363797;sz=750x100;ord=6183575114786897000? - DIRECT/194.237.107.154 text/html

This thread was automatically locked due to age.

Parents

0 Manctastic over 21 years ago

Google for the rule and check to see if flase positives occour.

http://www.snort.org/snort-db/sid.html?id=2066

This apperas to say that there are no know flase positives but i would still hunt around.

You can also run a traffic sniffer and see what the contents of the traffic actually is, which might give you a better clue about what is causing the rule to be tripped.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Manctastic over 21 years ago

Google for the rule and check to see if flase positives occour.

http://www.snort.org/snort-db/sid.html?id=2066

This apperas to say that there are no know flase positives but i would still hunt around.

You can also run a traffic sniffer and see what the contents of the traffic actually is, which might give you a better clue about what is causing the rule to be tripped.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 WaMaR over 21 years ago in reply to Manctastic

Signature: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .pl script source download attempt"; flow:to_server,established; uricontent:".pl"; content:".pl"; content:"."; within:1; classtype:web-application-attack; sid:2066; rev:2[;)]

I understand that alert occurs when URL includes ".pl", but all polish domains have .pl in URL

So, I fear that it false alarms.
Cancel
Vote Up 0 Vote Down

Cancel