Snort mailing list archives
Re: FP on SID 16409;rev:1;
From: Alex Kirk <akirk () sourcefire com>
Date: Thu, 8 Apr 2010 23:10:36 -0400
A PCAP would be great. We recently found some issues with Asian character sets in URLs that have been fixed in the 2.8.6 beta, and I'd love to test this out against those fixes to ensure that it works. On Thu, Apr 8, 2010 at 8:16 PM, Jason Haar <Jason.Haar () trimble co nz> wrote:
We just had this trigger when a user access an Asian webapp. I guess the unicode chars got confused with an exploit attempt? Attached is an ASCII dump of the URI. I can get you the pcap if you want. This is on a 2.8.5.2 system GET /segment/dict.php?request=%3Cservice%3E%09%3Cclass%3E11%3C%2Fclass%3E%09%3Citem%3E%09%09%3Cdata%3E1104%20-%20%E7%BB%B4%E6%BF%80%E5%85%89%E6%89%AB%E6%8F%8F%E6%8A%80%E6%9C%AF%E5%9C%A8%E5%9C%B0%E9%93%81%E6%96%BD%E5%B7%A5%E8%B0%83%E7%BA%BF%E8%B0%83%E5%9D%A1%E4%B8%AD%E7%9A%84%E5%BA%94%E7%94%A8_%E5%AE%8B%E5%BE%B7%E5%8F%8B%20.ppt%3C%2Fdata%3E%09%09%3Cflag%3E7%3C%2Fflag%3E%09%09%3Cmemo%3E2%3C%2Fmemo%3E%09%3C%2Fitem%3E%20%20%3Cdictid%3E1%7C3%7C%3C%2Fdictid%3E%09%3Csecond%3E1%3C%2Fsecond%3E%3C%2Fservice%3E&cc=16519d2763a6bb09f35a013e42c9651d&t=11 HTTP/1.0 User-Agent: CBNetDataSet Host: segment.pw08.iciba.com Cache-Control: max-age=259200 Via: 1.0 PROXY Connection: close -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- FP on SID 16409;rev:1; Jason Haar (Apr 08)
- Re: FP on SID 16409;rev:1; Alex Kirk (Apr 08)
- Re: FP on SID 16409;rev:1; Jason Haar (Apr 08)
- Re: FP on SID 16409;rev:1; Matt Olney (Apr 08)
- Re: FP on SID 16409;rev:1; Jason Haar (Apr 08)
- Re: FP on SID 16409;rev:1; Alex Kirk (Apr 08)