[Snort-sigs] False Positives SID 972 WEB-IIS %2E-asp access

Claude Watson abuse at ...2390...
Thu Apr 8 06:25:20 EDT 2004


This may only be an issue on our internal network.  I don't see the same 
problem on my external sensor.  I wanted to pass it along, mostly to find out 
if we were the only ones with this problem. 

Thanks,
-- 
Claude Watson
Abuse Desk - Adware Systems, Inc.
http://www.adware.com
-------------- next part --------------
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  

--
Sid: 	972

--
Summary:This event is generated when an attempt is made to access an Active Server Page (ASP) .asp file when the period is hex encoded as "%2e".

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives: On our network I see false positives on some web searches by our users.  One was a Google search and another was to an auto parts vendor.  I'll add the actual alert text for both of these below.  This may be something that happens because of the settings we use and my not be widespread. 

--
False Negatives:

--

--
Contributors:

-- 
Additional References:
Total Alerts On This Rule, All False Positive As Far As I Know. 
NOTE:  The 129. addresses all NAT to 65.167.38.40 outside our firewall. We are working on fixing that leftover strangeness.

     65.167.38.13      	      Unable to resolve address       	   1    	   5    	   1    	   5    	
     129.1.130.3      	      Unable to resolve address       	   1    	   10    	   1    	   3    	
     129.1.130.4      	      Unable to resolve address       	   1    	   249    	   1    	   9    	
     129.1.130.11      	      Unable to resolve address       	   1    	   76    	   1    	   4    	
     129.1.130.12      	      Unable to resolve address       	   1    	   5    	   1    	   1    	
     129.1.130.14      	      Unable to resolve address       	   1    	   49    	   1    	   10    	
     129.1.130.39      	      Unable to resolve address       	   1    	   70    	   1    	   6    	
     129.1.130.46      	      Unable to resolve address       	   1    	   8    	   1    	   2    	
     129.1.130.51      	      Unable to resolve address       	   1    	   1    	   1    	   1    	
     129.1.130.57      	      Unable to resolve address       	   1    	   42    	   1    	   8    	
     129.1.130.76      	      Unable to resolve address       	   1    	   1    	   1    	   1    	
     129.1.130.109      	      Unable to resolve address       	   1    	   8    	   1    	   2    	
     129.1.130.134      	      Unable to resolve address       	   1    	   12    	   1    	   2    	
     129.1.130.138      	      Unable to resolve address       	   1    	   1    	   1    	   1    	
     129.1.130.148      	      Unable to resolve address       	   1    	   1    	   1    	   1    	
     129.1.130.153      	      Unable to resolve address       	   1    	   317    	   1    	   1    	
     129.1.130.156      	      Unable to resolve address       	   1    	   26    	   1    	   4    	
     129.1.130.157      	      Unable to resolve address       	   1    	   28    	   1    	   9    	
     129.1.130.165      	      Unable to resolve address       	   1    	   13    	   1    	   2    	
     129.1.130.169      	      Unable to resolve address       	   1    	   43    	   1    	   7    	
     129.1.130.185      	      Unable to resolve address       	   1    	   1    	   1    	   1    	
     129.1.130.191      	      Unable to resolve address       	   1    	   34    	   1    	   1    	
     129.1.130.208      	      Unable to resolve address       	   1    	   1    	   1    	   1    	
     129.1.130.214      	      Unable to resolve address       	   1    	   42    	   1    	   3    	
     129.1.130.220      	      Unable to resolve address       	   1    	   10    	   1    	   5    	
     129.1.130.230      	      Unable to resolve address       	   1    	   25    	   1    	   2    	
     129.1.130.238      	      Unable to resolve address       	   1    	   5    	   1    	   1   

FALSE Positive on Google Search

000 : 47 45 54 20 2F 73 65 61 72 63 68 3F 63 6C 69 65   GET /search?clie
010 : 6E 74 3D 6E 61 76 63 6C 69 65 6E 74 2D 61 75 74   nt=navclient-aut
020 : 6F 26 67 6F 6F 67 6C 65 69 70 3D 4F 3B 32 31 36   o&googleip=O;216
030 : 2E 32 33 39 2E 35 31 2E 39 39 3B 31 34 30 26 63   .239.51.99;140&c
040 : 68 3D 36 34 30 34 39 37 30 39 36 33 36 26 6F 72   h=64049709636&or
050 : 69 67 3D 68 74 74 70 25 33 41 25 32 46 25 32 46   ig=http%3A%2F%2F
060 : 77 77 77 25 32 45 67 6F 6F 67 6C 65 25 32 45 63   www%2Egoogle%2Ec
070 : 6F 6D 25 32 46 75 72 6C 25 33 46 26 69 65 3D 55   om%2Furl%3F&ie=U
080 : 54 46 2D 38 26 6F 65 3D 55 54 46 2D 38 26 71 75   TF-8&oe=UTF-8&qu
090 : 65 72 79 74 69 6D 65 3D 46 4A 26 66 65 61 74 75   erytime=FJ&featu
0a0 : 72 65 73 3D 52 61 6E 6B 26 71 3D 69 6E 66 6F 3A   res=Rank&q=info:
0b0 : 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77   http%3A%2F%2Fwww
0c0 : 25 32 45 73 6F 75 6E 64 64 6F 67 73 25 32 45 63   %2Esounddogs%2Ec
0d0 : 6F 6D 25 32 46 63 64 6C 69 62 25 32 45 61 73 70   om%2Fcdlib%2Easp
0e0 : 25 33 46 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73   %3F HTTP/1.1..Us
0f0 : 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C   er-Agent: Mozill
100 : 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C   a/4.0 (compatibl
110 : 65 3B 20 47 6F 6F 67 6C 65 54 6F 6F 6C 62 61 72   e; GoogleToolbar
120 : 20 32 2E 30 2E 31 30 38 2D 62 69 67 3B 20 57 69    2.0.108-big; Wi
130 : 6E 64 6F 77 73 20 58 50 20 35 2E 31 29 0D 0A 43   ndows XP 5.1)..C
140 : 6F 6F 6B 69 65 3A 20 50 52 45 46 3D 49 44 3D 30   ookie: PREF=ID=0
150 : 35 36 62 37 33 32 35 38 63 66 62 63 30 38 64 3A   56b73258cfbc08d:
160 : 54 4D 3D 31 30 37 35 33 31 39 39 36 30 3A 4C 4D   TM=1075319960:LM
170 : 3D 31 30 37 35 37 32 34 33 30 30 3A 54 42 3D 32   =1075724300:TB=2
180 : 3A 53 3D 33 53 69 56 48 32 57 30 51 69 34 58 44   :S=3SiVH2W0Qi4XD
190 : 59 45 64 0D 0A 48 6F 73 74 3A 20 32 31 36 2E 32   YEd..Host: 216.2
1a0 : 33 39 2E 35 31 2E 39 39 0D 0A 43 61 63 68 65 2D   39.51.99..Cache-
1b0 : 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68   Control: no-cach
1c0 : 65 0D 0A 0D 0A                                    e....

One From The Auto Parts Store

 length = 480

000 : 47 45 54 20 2F 73 65 61 72 63 68 3F 63 6C 69 65   GET /search?clie
010 : 6E 74 3D 6E 61 76 63 6C 69 65 6E 74 2D 61 75 74   nt=navclient-aut
020 : 6F 26 67 6F 6F 67 6C 65 69 70 3D 4F 3B 32 31 36   o&googleip=O;216
030 : 2E 32 33 39 2E 33 37 2E 39 39 3B 31 32 30 26 63   .239.37.99;120&c
040 : 68 3D 36 33 33 31 39 31 35 31 39 34 30 26 66 72   h=63319151940&fr
050 : 65 73 68 6E 65 73 73 5F 63 68 65 63 6B 3D 34 76   eshness_check=4v
060 : 72 7A 78 50 31 54 4F 57 4F 45 2D 6B 53 41 6A 36   rzxP1TOWOE-kSAj6
070 : 45 48 71 26 69 65 3D 55 54 46 2D 38 26 6F 65 3D   EHq&ie=UTF-8&oe=
080 : 55 54 46 2D 38 26 66 65 61 74 75 72 65 73 3D 52   UTF-8&features=R
090 : 61 6E 6B 26 71 3D 69 6E 66 6F 3A 68 74 74 70 25   ank&q=info:http%
0a0 : 33 41 25 32 46 25 32 46 77 77 77 25 32 45 69 6D   3A%2F%2Fwww%2Eim
0b0 : 70 61 6C 61 73 75 70 65 72 73 74 6F 72 65 25 32   palasuperstore%2
0c0 : 45 63 6F 6D 25 32 46 6E 61 69 73 73 6F 25 32 46   Ecom%2Fnaisso%2F
0d0 : 73 75 70 65 72 73 74 6F 72 65 34 30 25 32 46 73   superstore40%2Fs
0e0 : 68 6F 70 64 69 73 70 6C 61 79 70 72 6F 64 75 63   hopdisplayproduc
0f0 : 74 73 25 32 45 61 73 70 25 33 46 20 48 54 54 50   ts%2Easp%3F HTTP
100 : 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74   /1.1..User-Agent
110 : 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63   : Mozilla/4.0 (c
120 : 6F 6D 70 61 74 69 62 6C 65 3B 20 47 6F 6F 67 6C   ompatible; Googl
130 : 65 54 6F 6F 6C 62 61 72 20 32 2E 30 2E 31 30 38   eToolbar 2.0.108
140 : 2D 62 69 67 3B 20 57 69 6E 64 6F 77 73 20 32 30   -big; Windows 20
150 : 30 30 20 35 2E 30 29 0D 0A 43 6F 6F 6B 69 65 3A   00 5.0)..Cookie:
160 : 20 50 52 45 46 3D 49 44 3D 30 34 36 39 64 65 65    PREF=ID=0469dee
170 : 66 37 33 61 66 34 35 65 39 3A 54 4D 3D 31 30 37   f73af45e9:TM=107
180 : 38 35 30 30 38 31 35 3A 4C 4D 3D 31 30 37 38 37   8500815:LM=10787
190 : 35 36 36 32 37 3A 54 42 3D 32 3A 53 3D 56 6D 38   56627:TB=2:S=Vm8
1a0 : 63 4D 7A 61 52 35 71 38 2D 4E 44 70 5A 0D 0A 48   cMzaR5q8-NDpZ..H
1b0 : 6F 73 74 3A 20 32 31 36 2E 32 33 39 2E 33 37 2E   ost: 216.239.37.
1c0 : 31 34 37 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 72   147..Cache-Contr
1d0 : 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 0D 0A   ol: no-cache...




More information about the Snort-sigs mailing list