[Snort-sigs] Rule: WEB-MISC weblogic/tomcat .jsp view source attempt false pos

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  WEB-MISC weblogic/tomcat .jsp view source attempt 

--
Sid: 1054

--
Summary:

--
Impact:

--
Detailed Information:
http URL encoding of a '?' (%3F) is triggering this

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
MLBaseball - capture below


[**] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
08/26-09:02:14.064092 XXX.xxx.xxx.xxx:3004 -> 216.52.17.226:80
TCP TTL:128 TOS:0x0 ID:33645 IpLen:20 DgmLen:1420 DF
***A**** Seq: 0x9C072091  Ack: 0x184E9776  Win: 0xFFFF  TcpLen: 20
47 45 54 20 2F 62 2F 73 73 2F 6D 6C 62 67 6C 6F  GET /b/ss/mlbglo
62 61 6C 2C 6D 6C 62 61 74 6C 61 6E 74 61 2F 31  bal,mlbatlanta/1
2F 47 2E 35 2D 50 64 2D 52 2F 73 32 37 34 31 38  /G.5-Pd-R/s27418
30 35 36 30 39 37 32 32 33 3F 5B 41 51 42 5D 26  056097223?[AQB]&
6E 64 68 3D 31 26 74 3D 32 36 2F 37 2F 32 30 30  ndh=1&t=26/7/200
35 25 32 30 39 25 33 41 32 25 33 41 31 35 25 32  5%209%3A2%3A15%2
30 35 25 32 30 33 30 30 26 70 61 67 65 4E 61 6D  05%20300&pageNam
65 3D 73 63 68 65 64 75 6C 65 2F 69 6E 64 65 78  e=schedule/index
2E 6A 73 70 25 33 46 63 5F 69 64 25 33 44 61 74  .jsp%3Fc_id%3Dat
6C 25 32 36 6D 25 33 44 39 25 32 36 79 25 33 44  l%26m%3D9%26y%3D
32 30 30 35 26 63 68 3D 73 63 68 65 64 75 6C 65  2005&ch=schedule
26 63 31 3D 73 63 68 65 64 75 6C 65 5F 73 65 61  &c1=schedule_sea
73 6F 6E 5F 32 30 30 35 26 76 31 30 3D 32 38 31  son_2005&v10=281
33 30 39 38 30 32 31 31 31 38 37 37 36 31 32 36  3098021118776126
39 35 33 26 76 31 36 3D 6D 6C 62 26 63 32 31 3D  953&v16=mlb&c21=
32 38 31 33 30 39 38 30 32 31 31 31 38 37 37 36  2813098021118776
31 32 36 39 35 33 26 63 32 34 3D 6D 6C 62 67 6C  126953&c24=mlbgl
6F 62 61 6C 25 32 43 6D 6C 62 61 74 6C 61 6E 74  obal%2Cmlbatlant
61 26 67 3D 68 74 74 70 25 33 41 2F 2F 61 74 6C  a&g=http%3A//atl
61 6E 74 61 2E 62 72 61 76 65 73 2E 6D 6C 62 2E  anta.braves.mlb.
63 6F 6D 2F 4E 41 53 41 70 70 2F 6D 6C 62 2F 73  com/NASApp/mlb/s
63 68 65 64 75 6C 65 2F 69 6E 64 65 78 2E 6A 73  chedule/index.js
70 25 33 46 63 5F 69 64 25 33 44 61 74 6C 25 32  p%3Fc_id%3Datl%2
36 6D 25 33 44 39 25 32 36 79 25 33 44 32 30 30  6m%3D9%26y%3D200
35 26 72 3D 68 74 74 70 25 33 41 2F 2F 61 74 6C  5&r=http%3A//atl
61 6E 74 61 2E 62 72 61 76 65 73 2E 6D 6C 62 2E  anta.braves.mlb.
63 6F 6D 2F 4E 41 53 41 70 70 2F 6D 6C 62 2F 73  com/NASApp/mlb/s
63 68 65 64 75 6C 65 2F 69 6E 64 65 78 2E 6A 73  chedule/index.js
70 25 33 46 63 5F 69 64 25 33 44 61 74 6C 26 73  p%3Fc_id%3Datl&s
3D 31 32 38 30 78 31 30 32 34 26 63 3D 33 32 26  =1280x1024&c=32&
6A 3D 31 2E 33 26 76 3D 59 26 6B 3D 59 26 62 77  j=1.3&v=Y&k=Y&bw
3D 31 32 38 30 26 62 68 3D 38 32 32 26 70 3D 4D  =1280&bh=822&p=M
6F 7A 69 6C 6C 61 25 32 30 44 65 66 61 75 6C 74  ozilla%20Default
25 32 30 50 6C 75 67 2D 69 6E 25 33 42 53 68 6F  %20Plug-in%3BSho
63 6B 77 61 76 65 25 32 30 46 6C 61 73 68 25 33  ckwave%20Flash%3
42 41 64 6F 62 65 25 32 30 41 63 72 6F 62 61 74  BAdobe%20Acrobat
25 33 42 4D 69 63 72 6F 73 6F 66 74 25 32 30 4F  %3BMicrosoft%20O
66 66 69 63 65 25 32 30 32 30 30 33 25 33 42 4A  ffice%202003%3BJ
61 76 61 25 32 38 54 4D 25 32 39 25 32 30 32 25  ava%28TM%29%202%
32 30 50 6C 61 74 66 6F 72 6D 25 32 30 53 74 61  20Platform%20Sta
6E 64 61 72 64 25 32 30 45 64 69 74 69 6F 6E 25  ndard%20Edition%
32 30 35 2E 30 25 32 30 55 70 64 61 74 65 25 32  205.0%20Update%2
30 34 25 33 42 4D 69 63 72 6F 73 6F 66 74 25 41  04%3BMicrosoft%A
45 25 32 30 44 52 4D 25 33 42 57 69 6E 64 6F 77  E%20DRM%3BWindow
73 25 32 30 4D 65 64 69 61 25 32 30 50 6C 61 79  s%20Media%20Play
65 72 25 32 30 50 6C 75 67 2D 69 6E 25 32 30 44  er%20Plug-in%20D
79 6E 61 6D 69 63 25 32 30 4C 69 6E 6B 25 32 30  ynamic%20Link%20
4C 69 62 72 61 72 79 25 33 42 26 5B 41 51 45 5D  Library%3B&[AQE]
20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A   HTTP/1.1..Host:
20 6D 6C 62 67 6C 6F 62 61 6C 2E 31 31 32 2E 32   mlbglobal.112.2
6F 37 2E 6E 65 74 0D 0A 55 73 65 72 2D 41 67 65  o7.net..User-Age
6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20  nt: Mozilla/5.0
28 57 69 6E 64 6F 77 73 3B 20 55 3B 20 57 69 6E  (Windows; U; Win
64 6F 77 73 20 4E 54 20 35 2E 31 3B 20 65 6E 2D  dows NT 5.1; en-
55 53 3B 20 72 76 3A 31 2E 37 2E 31 30 29 20 47  US; rv:1.7.10) G
65 63 6B 6F 2F 32 30 30 35 30 37 31 36 20 46 69  ecko/20050716 Fi
72 65 66 6F 78 2F 31 2E 30 2E 36 0D 0A 41 63 63  refox/1.0.6..Acc
65 70 74 3A 20 69 6D 61 67 65 2F 70 6E 67 2C 2A  ept: image/png,*
2F 2A 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 74  /*;q=0.5..Accept
2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73  -Language: en-us
2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70  ,en;q=0.5..Accep

[**] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
08/31-10:02:41.122535 XXX.xxx.xxx.xxx:3004 -> 72.14.207.104:80
TCP TTL:128 TOS:0x0 ID:31709 IpLen:20 DgmLen:835 DF
***AP*** Seq: 0xEE181A06  Ack: 0x7D2A017B  Win: 0xFFFF  TcpLen: 20
47 45 54 20 2F 70 61 67 65 61 64 2F 61 64 73 3F  GET /pagead/ads?
63 6C 69 65 6E 74 3D 63 61 2D 69 6E 74 65 72 6E  client=ca-intern
65 74 5F 37 32 38 78 39 30 26 64 74 3D 31 31 32  et_728x90&dt=112
35 35 30 30 35 36 32 33 31 32 26 61 64 73 61 66  5500562312&adsaf
65 3D 68 69 67 68 26 6C 6D 74 3D 31 31 32 35 35  e=high&lmt=11255
30 30 35 36 32 26 66 6F 72 6D 61 74 3D 37 32 38  00562&format=728
78 39 30 5F 73 6C 6E 26 6F 75 74 70 75 74 3D 68  x90_sln&output=h
74 6D 6C 26 75 72 6C 3D 68 74 74 70 25 33 41 25  tml&url=http%3A%
32 46 25 32 46 77 77 77 2E 6A 67 75 72 75 2E 63  2F%2Fwww.jguru.c
6F 6D 25 32 46 66 61 71 25 32 46 76 69 65 77 2E  om%2Ffaq%2Fview.
6A 73 70 25 33 46 45 49 44 25 33 44 31 36 38 33  jsp%3FEID%3D1683
33 26 72 65 66 3D 68 74 74 70 25 33 41 25 32 46  3&ref=http%3A%2F
25 32 46 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F  %2Fwww.google.co
6D 25 32 46 73 65 61 72 63 68 25 33 46 68 6C 25  m%2Fsearch%3Fhl%


Andy Bach, Sys. Mangler
Internet: andy_bach@wiwb.uscourts.gov 
VOICE: (608) 261-5738  FAX 264-5932

"If you have a procedure with ten parameters, you probably missed some." 
-- Alan Perlis 
http://www.cs.yale.edu/homes/perlis-alan/quotes.txt



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs