[Snort-sigs] False positive - sid:2303

Paul Schmehl pauls at ...1311...
Fri Mar 18 13:03:42 EST 2005


/usr/local/share/snort/web-php.rules:alert tcp $EXTERNAL_NET any -> 
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll popup.php access"; 
flow:to_server,established; uricontent:"/popup.php"; nocase; 
reference:bugtraq,8890; reference:nessus,11487; 
classtype:web-application-activity; sid:2303; rev:4;)

I have no idea what triggered this one either.  There's no "popup" or "php" 
in there, much less a "/popup.php" in the payload.  (This one only 
triggered once.)

 length = 436

000 : 47 45 54 20 2F 77 65 62 2D 63 74 2F 65 6E 38 2F   GET /web-ct/en8/
010 : 61 73 69 73 2F 74 6F 6F 6C 5F 6E 61 76 2E 61 73   asis/tool_nav.as
020 : 69 73 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63   is HTTP/1.1..Acc
030 : 65 70 74 3A 20 2A 2F 2A 0D 0A 52 65 66 65 72 65   ept: */*..Refere
040 : 72 3A 20 68 74 74 70 3A 2F 2F 77 65 62 63 74 2E   r: http://webct.
050 : 75 74 64 61 6C 6C 61 73 2E 65 64 75 2F 53 43 52   utdallas.edu/SCR
060 : 49 50 54 2F 31 33 38 35 30 32 30 30 35 53 2F 73   IPT/138502005S/s
070 : 63 72 69 70 74 73 2F 73 65 72 76 65 5F 68 6F 6D   cripts/serve_hom
080 : 65 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61   e..Accept-Langua
090 : 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63 65 70   ge: en-us..Accep
0a0 : 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70   t-Encoding: gzip
0b0 : 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73 65 72 2D   , deflate..User-
0c0 : 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34   Agent: Mozilla/4
0d0 : 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20   .0 (compatible;
0e0 : 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64 6F 77   MSIE 6.0; Window
0f0 : 73 20 4E 54 20 35 2E 31 29 0D 0A 48 6F 73 74 3A   s NT 5.1)..Host:
100 : 20 77 65 62 63 74 2E 75 74 64 61 6C 6C 61 73 2E    webct.utdallas.
110 : 65 64 75 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A   edu..Connection:
120 : 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6F    Keep-Alive..Coo
130 : 6B 69 65 3A 20 57 65 62 43 54 54 69 63 6B 65 74   kie: WebCTTicket

removed lines 140 through 160 username/password combo

170 : 25 32 36 65 78 70 69 72 79 25 33 44 31 31 31 31   %26expiry%3D1111
180 : 31 32 36 34 32 36 25 32 36 68 61 73 68 25 33 44   126426%26hash%3D
190 : 64 31 66 61 36 61 65 33 30 34 39 38 30 35 36 38   d1fa6ae304980568
1a0 : 39 63 34 34 63 63 35 64 34 61 35 63 63 65 65 64   9c44cc5d4a5cceed
1b0 : 0D 0A 0D 0A                                       ....

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list