Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 2093 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[2066] A WEB-MISC Lotus Notes .pl script source...

WaMaR
 I have many Intrusion Protection Events - SID  2066  (WEB-MISC Lotus Notes .pl script source download attempt) from my LAN to PROXY and I think that probably they are false. How can I check this? 


Intrusion Protection System:
2004:05:22-13:31:38 (none) snort[982]: [1:2066:0] A WEB-MISC Lotus Notes .pl script source download attempt [Classification: Web Application Attack] [Priority: 1]:  {PROTO006} 192.168.0.xxx:1111 -> 192.168.0.A:8080
2004:05:22-13:31:38 (none) snort[982]: [1:2066:0] A WEB-MISC Lotus Notes .pl script source download attempt [Classification: Web Application Attack] [Priority: 1]:  {PROTO006} 192.168.0.xxx:1105 -> 192.168.0.A:8080
2004:05:22-13:31:38 (none) snort[982]: [1:2066:0] A WEB-MISC Lotus Notes .pl script source download attempt [Classification: Web Application Attack] [Priority: 1]:  {PROTO006} 192.168.0.xxx:1106 -> 192.168.0.A:8080


HTTP accessed sites:
2004:05:22-13:31:38 (none) squid_access[1298]: 1085225498.220 886 192.168.0.xxx TCP_MISS/302 531 GET http://www.onet.pl/443 - DIRECT/213.180.130.200 text/html
2004:05:22-13:31:38 (none) squid_access[1298]: 1085225498.562 28 192.168.0.xxx TCP_IMS_HIT/304 223 GET http://info.onet.pl/_g/ad/z.gif - NONE/- image/gif
2004:05:22-13:31:38 (none) squid_access[1298]: 1085225498.664 442 192.168.0.xxx TCP_MISS/200 33006 GET http://info.onet.pl/924362,11,item.html - DIRECT/213.180.130.202 text/html
2004:05:22-13:31:38 (none) squid_access[1298]: 1085225498.850 270 192.168.0.xxx TCP_MISS/200 165 GET http://ad.pl.doubleclick.net/adj/N2974.onet.cr.starlink/B1363797;abr=!ie;sz=750x100;ord=6183575114786897000? - DIRECT/194.237.107.154 application/x-javascript
2004:05:22-13:31:38 (none) squid_access[1298]: 1085225498.886 307 192.168.0.xxx TCP_MISS/200 3241 GET http://ad.pl.doubleclick.net/adi/N2974.onet.cr.starlink/B1363797;sz=750x100;ord=6183575114786897000? - DIRECT/194.237.107.154 text/html


This thread was automatically locked due to age.
Parents
  • 0
    Google for the rule and check to see if flase positives occour.

    http://www.snort.org/snort-db/sid.html?id=2066

    This apperas to say that there are no know flase positives but i would still hunt around. 

    You can also run a  traffic sniffer and see what the contents of the traffic actually is, which might give you a better clue about what is causing the rule to be tripped.
  • 0 in reply to Manctastic
    Signature:      alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .pl script source download attempt"; flow:to_server,established; uricontent:".pl"; content:".pl"; content:"."; within:1; classtype:web-application-attack; sid:2066; rev:2[;)]   

    I understand that alert occurs when URL includes ".pl", but all polish domains have .pl in URL

    So, I fear that it false alarms.
Reply
  • 0 in reply to Manctastic
    Signature:      alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .pl script source download attempt"; flow:to_server,established; uricontent:".pl"; content:".pl"; content:"."; within:1; classtype:web-application-attack; sid:2066; rev:2[;)]   

    I understand that alert occurs when URL includes ".pl", but all polish domains have .pl in URL

    So, I fear that it false alarms.
Children
No Data