[Snort-sigs] False positives on 1:1054:6 (WEB-MISC weblogic/tomcat .jsp view source attempt)
nnposter at ...592...
nnposter at ...592...
Thu May 6 10:21:01 EDT 2004
Rule: WEB-MISC weblogic/tomcat .jsp view source attempt
--
Sid: 1054
--
Summary:
--
Impact:
--
Detailed Information:
--
Affected Systems:
--
Attack Scenarios:
--
Ease of Attack:
--
False Positives:
Current version of the rule (also) matches any time a JSP URL is being
submitted to a GET form, such as:
GET /redirection.cgi?url=/newpage.jsp
--
False Negatives:
--
Corrective Action:
--
Contributors:
--
Additional References:
The following proposed revision will not fix the issue completely but it
will reduce false positives by checking that the URI contains encoded
characters in the page path:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC weblogic/tomcat .jsp view source attempt";
flow:to_server,established; uricontent:".jsp"; nocase;
pcre:"/^\w+\s+[^\n\s\?]*%/sm"; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi";
reference:bugtraq,2527; classtype:web-application-attack; sid:1054;
rev:7;)
More information about the Snort-sigs
mailing list