MS Annoyance . . . FYI
From: McCammon, Keith (Keith.McCammon@eadvancemed.com)Date: 02/12/02
- Previous message: Christian Williams: "RE: Cisco IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Feb 2002 09:33:42 -0500 From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com> To: <focus-ids@securityfocus.com>
[Probably belongs on focus-ms as well, but...]
Greetings All,
We've been noticing gradually increasing probes involving PROPFIND
requests matching against IDS475 in the most recent (oxymoron, I know)
vision.rules rules release (Snort 1.8.3). Some time ago, there was a
thread going around regarding these "probes," which usually contain a
specific username of a user on the target network. They look a little
something like this:
[**] IDS475/web-iis_web-webdav-propfind [**]
02/12-08:39:54.125796 65.114.145.2:45732 -> 151.200.109.71:80
TCP TTL:118 TOS:0x0 ID:24110 IpLen:20 DgmLen:269 DF
***AP*** Seq: 0x9C36F8F9 Ack: 0x7B5353E8 Win: 0x4000 TcpLen: 20
50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73 PROPFIND /instms
67 2F 61 6C 69 61 73 65 73 2F 6B 65 6E 2E 68 75 g/aliases/joe.us
74 63 68 69 6E 73 20 48 54 54 50 2F 31 2E 31 0D erxxxx HTTP/1.1.
0A 44 65 70 74 68 3A 20 30 0D 0A 52 56 50 2D 4E .Depth: 0..RVP-N
6F 74 69 66 69 63 61 74 69 6F 6E 73 2D 56 65 72 otifications-Ver
73 69 6F 6E 3A 20 30 2E 32 0D 0A 48 6F 73 74 3A sion: 0.2..Host:
20 65 61 64 76 61 6E 63 65 6D 65 64 2E 63 6F 6D yourdomainx.com
0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 ..Content-Length
3A 20 31 35 39 0D 0A 43 6F 6E 74 65 6E 74 2D 54 : 159..Content-T
79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0D 0A 52 ype: text/xml..R
56 50 2D 46 72 6F 6D 2D 50 72 69 6E 63 69 70 61 VP-From-Principa
6C 3A 20 68 74 74 70 3A 2F 2F 69 6D 2E 69 6E 74 l: http://im.int
65 72 6E 6F 73 69 73 2E 63 6F 6D 2F 69 6E 73 74 xxxxxxx.com/inst
6D 73 67 2F 61 6C 69 61 73 65 73 2F 74 6B 79 6C msg/aliases/tkyl
65 0D 0A 0D 0A e....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
[**] IDS475/web-iis_web-webdav-propfind [**]
02/12-08:39:54.303447 65.114.145.2:45732 -> 151.200.109.71:80
TCP TTL:118 TOS:0x0 ID:24125 IpLen:20 DgmLen:199 DF
***AP*** Seq: 0x9C36F9DE Ack: 0x7B5353E8 Win: 0x4000 TcpLen: 20
3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 <?xml version="1
2E 30 22 3F 3E 0A 3C 64 3A 70 72 6F 70 66 69 6E .0"?>.<d:propfin
64 20 78 6D 6C 6E 73 3A 64 3D 27 44 41 56 3A 27 d xmlns:d='DAV:'
20 78 6D 6C 6E 73 3A 72 3D 27 68 74 74 70 3A 2F xmlns:r='http:/
2F 73 63 68 65 6D 61 73 2E 6D 69 63 72 6F 73 6F /schemas.microso
66 74 2E 63 6F 6D 2F 72 76 70 2F 27 3E 3C 64 3A ft.com/rvp/'><d:
70 72 6F 70 3E 3C 72 3A 73 74 61 74 65 2F 3E 3C prop><r:state/><
64 3A 64 69 73 70 6C 61 79 6E 61 6D 65 2F 3E 3C d:displayname/><
72 3A 65 6D 61 69 6C 2F 3E 3C 2F 64 3A 70 72 6F r:email/></d:pro
70 3E 3C 2F 64 3A 70 72 6F 70 66 69 6E 64 3E p></d:propfind>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
Anyway, I finally got fed up when a single "attacking" IP starting
triggering this alert on a pretty much constant basis, so I contacted
them by phone. The gentleman was kind enough to look into the issue,
opened a support call with MS, and we have our explanation. In his own
words:
"The problem revolves around a "feature" of Outlook XP(2002) according
to
Microsoft. Outlook XP is IM aware and as such it attempts to determine
the IM status of anyone that an individual corresponds with within
Outlook whether or not the Outlook user has the external user set up
with an IM address. This also occurs even if the addressee in the email
is not of the senders organization. I have got to just love these
"features". However, with the latest patch this "feature" is turned
off. I have rolled out the patch to the users that were involved
with your system."
Just FYI, so no one else is left guessing until 1) the patch is publicly
announced, or 2)some lame reporter gets a hold of this and turns it into
the latest "MS vs. Your Privacy" feeding frenzy.
Cheers!
Keith
- Previous message: Christian Williams: "RE: Cisco IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
