Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] The rule 1054 fires up false positives!

from [Victor Meghesan] Network Security [Permanent Link]
Subject: [Snort-sigs] The rule 1054 fires up false positives!
Date: Mon, 15 Nov 2004 06:28:53 -0800 (PST) 
Rule:  WEB-MISC weblogic/tomcat .jsp view source
attempt

--
Sid: 1054

--
Summary: The rule fires up with false positives

--
Impact: Cry wolf in vain.

--
Detailed Information: It doesn't check if a % is
present in the request.

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

Something like this matches the (actual) rule content
search:

GET /l/o.jsp HTTP/1.0
Host: xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0;
en-US; rv:1.4) Gecko/200306
24
Accept:
application/x-shockwave-flash,text/xml,application/xml,application/xhtml
+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif
;q=0.2,*/*;q=0.1
Accept-Language: ro,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: UTF-8,*
Keep-Alive: 300
Referer: http://xxx.xxx.xxx/l/l.jsp
Cookie: JSESSIONID=xxxftr3hkVd-33
Via: 1.1 yyy.yyy.yyy:8000 (squid/2.5.STABLE4)
X-Forwarded-For: unknown
Cache-Control: max-age=259200
Connection: keep-alive


--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:

Google for: "WEB-MISC weblogic/tomcat .jsp view source
attempt"  "false positives"

-- Victor


                
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com 
 



-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] False Positive on rule ID 1365 (WEB-ATTACKS rm command attempt), McKenzie, Omar
Next by Date:  [Snort-sigs] False Negative Submission, Matthew K. Lee
Previous by Thread:  [Snort-sigs] False Positive on rule ID 1365 (WEB-ATTACKS rm command attempt), McKenzie, Omar
Next by Thread:  Re: [Snort-sigs] The rule 1054 fires up false positives!, Matthew Watchinski
Indexes:  [Date] [Thread] [Top] [All Lists]