Snort mailing list archives
RE: OVERSIZE REQUEST-URI DIRECTORY outbound from my network
From: "East, Bill" <eastb () PFFCU org>
Date: Wed, 22 Feb 2006 09:37:24 -0500
With DotNet it's very likely that the code is generating a long and complicated "viewstate" ID which is getting embedded in your URLs. For example, in an online banking app I use, a partial viewstate is PDtsPGk8MD47aTwzPjtpPDQ+O2k8NT47aTw2Pjs+O2w8dDxwPGw8VmlzaWJsZTs+O2w8bzxm Pjs+Pjs7Pjt0PHA8cDxsPEJhY2tDb2xvcjtfIVNCO1Zpc2libGU7PjtsPDI8MjU1LCAyNTUs IDI1NT47aTw4PjtvPHQ+Oz4+Oz47bDxpPDA+O2k8MT47PjtsPHQ8cDxsPGJnY29sb3I7Pjts P (that's less than half of it)... So IIS servers, which previously were vulnerable to attacks based on very long URLs, are now almost guaranteed to receive them. Welcome to the world of the future. -- be - MOS Logic doesn't apply to the real world. --Marvin Minsky
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Will Button Sent: Friday, February 17, 2006 10:58 AM To: CasperLinux; snort-users () lists sourceforge net Subject: RE: [Snort-users] OVERSIZE REQUEST-URI DIRECTORY outbound from my network I've seen an increase in these directly related to the launch of our new website, written in .Net 2.0. I have not had the opportunity to inspect in great detail what exactly is happening, since it appeared to be false alarms related to our new site. At first glance, it looks like some encrypted/dotfuscated/hashed or otherwise mangled code that is being passed to the client. By chance, are the other URL's triggering your alarms .aspx? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of CasperLinux Sent: Friday, February 17, 2006 6:32 AM To: snort-users () lists sourceforge net Subject: [Snort-users] OVERSIZE REQUEST-URI DIRECTORY outbound from my network I admit I'm new at this security evaluation - at least in this detail. I asked a couple of days ago about the OVERSIZE REQUEST-URI DIRECTORY hits I was getting from external to internal networks. I posted the payload and was advised (by Joel I believe) that this is evidence of "typical" virus activity. However, since yesterday I have been seeing this same hit originating on my family box (WinXP) and heading outbound. In two separate views I see within the payload data that makes me think they are legitimate transactions. Below is the latest from this morning and is tied to a use by my daughter of mapquest. I'm gonna scan the heck out of that computer but can someone explain this to me (or better yet - point me to a web reference where I can read and learn some more) about this problem and what it really means? I've searched and simply can't find enough to understand what this is trying to tell me. 000 : 47 45 54 20 2F 3F 65 3D 39 26 47 65 74 4D 61 70 GET /?e=9&GetMap 010 : 44 69 72 65 63 74 3D 47 6D 65 35 64 69 77 25 32 Direct=Gme5diw%2 020 : 63 62 25 33 61 39 75 31 32 25 33 62 25 34 30 25 cb%3a9u12%3b%40% 030 : 32 34 78 75 25 32 64 37 67 31 66 37 32 25 32 36 24xu%2d7g1f72%26 040 : 25 33 64 79 6E 25 32 31 7A 31 35 30 36 37 25 33 %3dyn%21z15067%3 050 : 61 39 36 25 34 30 61 6C 79 32 6E 39 25 34 30 79 a96%40aly2n9%40y 060 : 25 32 36 39 72 37 73 64 34 25 32 34 78 75 72 37 %269r7sd4%24xur7 070 : 6E 25 32 36 75 32 67 75 25 32 63 61 25 33 61 39 n%26u2gu%2ca%3a9 080 : 36 37 32 25 33 62 25 34 30 62 32 30 30 25 32 34 672%3b%40b200%24 090 : 25 33 61 25 32 36 25 34 30 25 32 34 78 75 25 32 %3a%26%40%24xu%2 0a0 : 64 37 61 39 79 37 32 25 32 36 25 33 64 79 6E 25 d7a9y72%26%3dyn% 0b0 : 32 31 7A 7A 73 39 36 37 25 33 61 25 32 36 25 34 21zzs967%3a%26%4 0c0 : 30 32 32 75 36 25 32 61 25 33 61 6C 36 74 78 25 022u6%2a%3al6tx% 0d0 : 32 36 25 34 30 25 32 34 25 33 61 25 32 36 61 37 26%40%24%3a%26a7 0e0 : 25 32 36 75 66 74 67 75 36 25 32 34 25 32 65 35 %26uftgu6%24%2e5 0f0 : 75 25 34 30 67 31 61 32 32 75 25 34 30 25 32 34 u%40g1a22u%40%24 100 : 25 33 61 39 34 74 77 25 33 62 75 25 32 34 6E 64 %3a94tw%3bu%24nd 110 : 7A 37 25 32 36 31 25 32 63 62 73 35 72 25 32 34 z7%261%2cbs5r%24 120 : 25 33 61 25 32 36 75 7A 32 25 32 36 75 7A 32 30 %3a%26uz2%26uz20 130 : 72 38 78 71 25 34 30 32 30 30 25 34 30 25 32 34 r8xq%40200%40%24 140 : 6E 64 77 37 25 32 36 31 25 32 63 79 35 25 32 36 ndw7%261%2cy5%26 150 : 77 25 32 34 78 75 36 74 6E 64 25 34 30 25 35 66 w%24xu6tnd%40%5f 160 : 67 39 7A 7A 73 31 25 34 30 25 35 66 6C 25 32 36 g9zzs1%40%5fl%26 170 : 36 25 32 34 25 32 65 68 25 34 30 25 35 66 77 25 6%24%2eh%40%5fw% 180 : 32 36 25 33 64 61 25 33 61 75 25 34 30 25 35 66 26%3da%3au%40%5f 190 : 30 25 32 36 25 33 64 32 25 33 61 25 32 39 75 7A 0%26%3d2%3a%29uz 1a0 : 25 33 61 25 32 39 79 25 32 34 6E 25 32 36 25 33 %3a%29y%24n%26%3 1b0 : 64 61 25 33 61 67 25 34 30 25 35 66 6E 67 25 34 da%3ag%40%5fng%4 1c0 : 30 61 25 33 61 25 32 39 77 25 32 34 32 25 32 36 0a%3a%29w%242%26 1d0 : 25 33 64 32 25 33 61 71 25 34 30 25 35 66 30 25 %3d2%3aq%40%5f0% 1e0 : 32 36 61 25 32 34 25 32 65 64 25 34 30 74 25 33 26a%24%2ed%40t%3 1f0 : 61 25 32 39 75 37 25 33 61 39 25 34 30 25 35 66 a%29u7%3a9%40%5f 200 : 6C 25 32 36 61 74 25 33 61 25 32 39 34 31 25 33 l%26at%3a%2941%3 210 : 61 39 25 34 30 25 35 66 78 25 32 36 75 25 32 34 a9%40%5fx%26u%24 220 : 25 32 65 31 25 34 30 62 25 33 61 25 32 39 66 25 %2e1%40b%3a%29f% 230 : 32 34 6C 25 32 36 25 33 64 32 6C 25 32 36 36 25 24l%26%3d2l%266% 240 : 32 34 25 32 65 39 36 25 32 34 32 25 32 36 25 33 24%2e96%242%26%3 250 : 64 32 25 33 61 6C 25 34 30 25 35 66 73 75 25 34 d2%3al%40%5fsu%4 260 : 30 37 25 33 61 25 32 39 77 25 32 34 6E 25 32 36 07%3a%29w%24n%26 270 : 25 33 64 79 25 33 61 39 25 34 30 25 35 66 6E 75 %3dy%3a9%40%5fnu 280 : 25 34 30 37 25 33 61 25 32 39 30 25 32 34 6E 25 %407%3a%290%24n% 290 : 32 36 25 33 64 32 78 25 32 36 61 25 32 34 25 32 26%3d2x%26a%24%2 2a0 : 65 6C 61 25 32 34 32 25 32 36 25 33 64 32 25 33 ela%242%26%3d2%3 2b0 : 61 31 25 34 30 25 35 66 6E 67 25 34 30 37 25 33 a1%40%5fng%407%3 2c0 : 61 25 32 39 61 25 32 34 6E 25 32 36 25 33 64 32 a%29a%24n%26%3d2 2d0 : 6E 25 32 36 36 25 32 34 25 32 65 31 25 34 30 72 n%266%24%2e1%40r 2e0 : 25 33 61 25 32 39 61 74 25 33 61 75 25 34 30 25 %3a%29at%3au%40% 2f0 : 35 66 6E 25 32 36 61 25 32 34 25 32 65 31 34 25 5fn%26a%24%2e14% 300 : 32 34 32 25 32 36 25 33 64 62 25 33 61 31 25 34 242%26%3db%3a1%4 310 : 30 25 35 66 6E 68 25 34 30 37 25 33 61 25 32 39 0%5fnh%407%3a%29 320 : 75 25 32 34 6E 25 32 36 25 33 64 32 32 25 32 36 u%24n%26%3d22%26 330 : 30 25 32 34 25 32 65 30 25 34 30 38 25 33 61 25 0%24%2e0%408%3a% 340 : 32 39 75 37 25 33 61 6C 25 34 30 25 35 66 30 25 29u7%3al%40%5f0% 350 : 32 36 30 25 32 34 25 32 65 39 25 34 30 32 25 33 260%24%2e9%402%3 360 : 61 25 32 39 75 25 32 34 67 25 32 36 25 33 64 74 a%29u%24g%26%3dt 370 : 25 33 61 64 25 34 30 25 35 66 6C 25 32 36 77 25 %3ad%40%5fl%26w% 380 : 32 34 25 32 65 39 25 34 30 32 32 25 32 36 25 33 24%2e9%4022%26%3 390 : 64 32 25 33 61 39 25 34 30 37 25 33 61 31 25 34 d2%3a9%407%3a1%4 3a0 : 30 37 25 33 61 39 75 25 32 34 25 32 65 39 25 34 07%3a9u%24%2e9%4 3b0 : 30 32 6E 25 32 36 36 25 32 34 6E 30 25 34 30 37 02n%266%24n0%407 3c0 : 25 33 61 31 36 25 32 34 32 25 32 36 30 25 32 34 %3a16%242%260%24 3d0 : 32 25 32 36 75 7A 25 33 61 25 32 39 75 25 32 34 2%26uz%3a%29u%24 3e0 : 6E 71 25 34 30 37 25 33 61 31 25 34 30 37 25 33 nq%407%3a1%407%3 3f0 : 61 6C 77 25 32 34 32 25 32 36 75 25 32 34 32 25 alw%242%26u%242% 400 : 32 36 75 32 25 33 61 25 32 39 75 25 32 34 6C 25 26u2%3a%29u%24l% 410 : 32 36 36 25 32 34 6E 6C 25 34 30 37 25 33 61 25 266%24nl%407%3a% 420 : 32 39 61 25 32 34 25 32 65 64 25 34 30 25 35 66 29a%24%2ed%40%5f 430 : 6E 25 32 36 25 33 64 62 25 33 61 75 25 34 30 25 n%26%3db%3au%40% 440 : 35 66 6E 25 32 36 25 33 64 32 25 33 61 25 32 39 5fn%26%3d2%3a%29 450 : 30 25 32 34 25 32 65 39 25 34 30 25 35 66 77 25 0%24%2e9%40%5fw% 460 : 32 36 36 25 32 34 25 32 65 39 25 34 30 37 25 33 266%24%2e9%407%3 470 : 61 25 32 39 30 25 32 34 32 25 32 36 25 33 64 7A a%290%242%26%3dz 480 : 25 33 61 75 25 34 30 25 35 66 6C 25 32 36 36 25 %3au%40%5fl%266% 490 : 32 34 25 32 65 39 30 25 32 34 32 25 32 36 25 33 24%2e90%242%26%3 4a0 : 64 61 25 33 61 25 32 39 75 25 32 34 25 32 65 71 da%3a%29u%24%2eq 4b0 : 7A 25 32 34 32 25 32 36 25 33 64 62 25 33 61 75 z%242%26%3db%3au 4c0 : 25 34 30 25 35 66 6C 31 25 34 30 37 25 33 61 25 %40%5fl1%407%3a% 4d0 : 32 39 30 25 32 34 32 25 32 36 25 33 64 61 78 25 290%242%26%3dax% 4e0 : 32 36 75 72 25 33 61 25 32 39 75 25 32 34 32 25 26ur%3a%29u%242% 4f0 : 32 36 7A 25 32 34 6C 25 32 36 30 25 32 34 6C 25 26z%24l%260%24l% 500 : 32 36 36 25 32 34 6E 64 34 37 25 37 63 75 25 34 266%24nd47%7cu%4 510 : 30 32 35 75 36 25 34 30 6C 25 33 62 25 34 30 7A 025u6%40l%3b%40z 520 : 61 75 61 25 32 34 25 33 61 20 48 54 54 50 2F 31 aua%24%3a HTTP/1 530 : 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D .1..Accept: */*. 540 : 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A 2F .Referer: http:/ 550 : 2F 77 77 77 2E 6D 61 70 71 75 65 73 74 2E 63 6F /www.mapquest.co 560 : 6D 2F 64 69 72 65 63 74 69 6F 6E 73 2F 6D 61 69 m/directions/mai 570 : 6E 2E 61 64 70 3F 67 6F 3D 31 26 64 6F 3D 6E 77 n.adp?go=1&do=nw 580 : 26 72 6D 6D 3D 31 26 31 67 69 3D 30 26 75 6E 3D &rmm=1&1gi=0&un= 590 : 6D 26 31 64 61 3D 2D 31 2E 30 30 30 30 30 30 26 m&1da=-1.000000& 5a0 : 31 72 63 3D 4C 31 41 41 41 26 63 6C 3D 45 4E 26 1rc=L1AAA&cl=EN& 5b0 : 63 74 3D 4E ct=N -- Don - Powered by Debian Linux - ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&; dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- OVERSIZE REQUEST-URI DIRECTORY outbound from my network CasperLinux (Feb 17)
- <Possible follow-ups>
- RE: OVERSIZE REQUEST-URI DIRECTORY outbound from my network Will Button (Feb 17)
- RE: OVERSIZE REQUEST-URI DIRECTORY outbound from my network East, Bill (Feb 22)