05-27-2004 05:14 AM - edited 03-09-2019 07:32 AM
I have some PCs in our network that trigger an event for HTTP Tunnelling SubSig 2 (id 5188)
Subsig 2 should Trigger when a connection is made to exectech-va.com. The site runs a server, which connects to the requested resource and passes the information back to the client, on web ports.
How does the exploit work and what client is installed at the attackers PC in order to trigger this event?
Is this sub-signature still valid?
05-27-2004 05:32 AM
Looks like it all it does is check the Host field of the site being connected to
(from the signature itself)
Host[:][ \t]+photo[.]exectech[-]va[.]com
is the regex it checks in the Header.
Never seen it myself, but it would certainly warrant a sniff.
Sounds like it was a signature created for just a specific case. It also looks to be a very old signature since the SigVersion says S12 (before my time)
05-27-2004 02:32 PM
I did some further investigation and found a thread that correlates what I have seen.
For those interested, the URL is
http://www.derkeiler.com/Mailing-Lists/securityfocus/security-basics/2002-07/0550.html
And
Comments are welcome,
05-27-2004 02:33 PM
Actually, the signature is looking for the host 'photo.exectech-va.com'. The tool being referred for this subsig is HTTPort and HTTHost available at:
Since this signature was written so long ago, I cannot be 100% sure as to why this host was chosen, but the host in question is no longer available. I would need to some traffic samples to be certain if this was truely malicious. Perhaps someone is experimenting with these tools. From what I can gather, the host 'photo.exectech-va.com' was one of the private proxies used by this tool.
05-27-2004 03:53 PM
On further research, it appears the tool is using a new host 'photo.technetva.com' as its proxy. Requests will look like:
GET /...
Host: photo.technetva.com
Perhaps someone is attempting to use an older version of the software with the old server 'photo.exectech-va.com' set as the proxy. If the traffic in the alarm resembles the pattern above, then someone is using the HTTPost tool and it is firing as intended. Otherwise, it's a pretty random occurence that we'd need to see the traffic for.
05-27-2004 11:00 PM
Marco,
This signature is part of the default installation of 4.1-3s61 and has a severity of high. I need to understand why the signature has this severity.
Since the proxy site is no longer available, I guess that the tool would have failed this connection. As you have already mentioned, without traffic capture it would be difficult to say but it could have been used to connect to a private HTTHost proxy.
1. Is it worth pursuing?
2. Are there any Cisco plans to have new signatures implemented that would generically capture similar attempts to other public/private proxy sites such as the one that you have mentioned (Host: photo.technetva.com)?
06-02-2004 10:38 AM
Ok, there was some confusion on my part. The HTTPort tool embeds the hostname 'photo.technetva.com' in the 'Host:' field of the HTTP request regardless of what server is actually being used. There is a list of available servers in the HTTPort FAQ. So, this makes a good generic marker to detect the usage of this tool. I am going to add the 'photo.technetva.com' host name to the regex for 5188.2 to detect the old and new versions of the tool. So, the bottom line is that the hostname is merely a hardcoded feature of the HTTPort tool. It can use other servers, so it is important to monitor activity of this signature if it is against your network policy to allow such a tool. This is potentially a serious threat, so we plan to leave the alarm as a severity of high.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: