[Snort-sigs] False positives on 1:1054:6 (WEB-MISC weblogic/tomcat .jsp view source attempt)

nnposter at ...592... nnposter at ...592...
Thu May 6 10:21:01 EDT 2004


Rule:  WEB-MISC weblogic/tomcat .jsp view source attempt

--
Sid: 1054

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
Current version of the rule (also) matches any time a JSP URL is being
submitted to a GET form, such as:

GET /redirection.cgi?url=/newpage.jsp

--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:


The following proposed revision will not fix the issue completely but it
will reduce false positives by checking that the URI contains encoded
characters in the page path:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC weblogic/tomcat .jsp view source attempt"; 
flow:to_server,established; uricontent:".jsp"; nocase; 
pcre:"/^\w+\s+[^\n\s\?]*%/sm"; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi"; 
reference:bugtraq,2527; classtype:web-application-attack; sid:1054;
rev:7;)




More information about the Snort-sigs mailing list