Snort mailing list archives
FP on SID 16409;rev:1;
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 09 Apr 2010 12:16:55 +1200
We just had this trigger when a user access an Asian webapp. I guess the unicode chars got confused with an exploit attempt? Attached is an ASCII dump of the URI. I can get you the pcap if you want. This is on a 2.8.5.2 system GET /segment/dict.php?request=%3Cservice%3E%09%3Cclass%3E11%3C%2Fclass%3E%09%3Citem%3E%09%09%3Cdata%3E1104%20-%20%E7%BB%B4%E6%BF%80%E5%85%89%E6%89%AB%E6%8F%8F%E6%8A%80%E6%9C%AF%E5%9C%A8%E5%9C%B0%E9%93%81%E6%96%BD%E5%B7%A5%E8%B0%83%E7%BA%BF%E8%B0%83%E5%9D%A1%E4%B8%AD%E7%9A%84%E5%BA%94%E7%94%A8_%E5%AE%8B%E5%BE%B7%E5%8F%8B%20.ppt%3C%2Fdata%3E%09%09%3Cflag%3E7%3C%2Fflag%3E%09%09%3Cmemo%3E2%3C%2Fmemo%3E%09%3C%2Fitem%3E%20%20%3Cdictid%3E1%7C3%7C%3C%2Fdictid%3E%09%3Csecond%3E1%3C%2Fsecond%3E%3C%2Fservice%3E&cc=16519d2763a6bb09f35a013e42c9651d&t=11 HTTP/1.0 User-Agent: CBNetDataSet Host: segment.pw08.iciba.com Cache-Control: max-age=259200 Via: 1.0 PROXY Connection: close -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- FP on SID 16409;rev:1; Jason Haar (Apr 08)
- Re: FP on SID 16409;rev:1; Alex Kirk (Apr 08)
- Re: FP on SID 16409;rev:1; Jason Haar (Apr 08)
- Re: FP on SID 16409;rev:1; Matt Olney (Apr 08)
- Re: FP on SID 16409;rev:1; Jason Haar (Apr 08)
- Re: FP on SID 16409;rev:1; Alex Kirk (Apr 08)