[Snort-sigs] False Positive for -MISC weblogic/tomcat .jsp view source attempt

Mark Ryan del Moral Talabis talabis at ...2420...
Mon Oct 3 05:35:25 EDT 2005


*False Positives:*

Hi, I think I've detected a false positive for this signature. The following
in my alerts database today. It was coming from our server.

'2005-10-02 19:45:09', 'xxx.87.152.38', 'WEB-MISC weblogic/tomcat .jsp view
source attempt', 1, 'xxx.239.53.104'

I then checked the logs since I thought our server had become a staging
point for these kinds of attacks. But logs indicate that they were just
googlebar queries:

I think something in the URL of googlebar queries is causing it. I think
this must be the offending packet.

0000 00 0d 48 1f 0c 56 00 06 4f 02 ff fd 08 00 45 00 ..H..V..O.....E.
0010 02 74 77 96 40 00 80 06 0f 18 cb 57 98 26 d8 ef .tw. at ...3161...&..
0020 35 68 0b df 00 50 bc 24 d5 bf d4 7c b3 3c 50 18 5h...P.$...|.<P.
0030 44 70 1f 0d 00 00 47 45 54 20 2f 73 65 61 72 63 Dp....GET /searc
0040 68 3f 63 6c 69 65 6e 74 3d 6e 61 76 63 6c 69 65 h?client=navclie
0050 6e 74 2d 61 75 74 6f 26 67 6f 6f 67 6c 65 69 70 nt-auto&googleip
0060 3d 50 3b 3b 30 26 26 66 72 65 73 68 6e 65 73 73 =P;;0&&freshness
0070 5f 63 68 65 63 6b 3d 34 54 70 50 35 37 33 6d 4c _check=4TpP573mL
0080 7a 63 32 5f 72 5f 6c 4e 78 61 59 77 26 69 71 72 zc2_r_lNxaYw&iqr
0090 6e 3d 45 6b 78 44 26 6f 72 69 67 3d 30 69 44 72 n=EkxD&orig=0iDr
00a0 30 26 69 65 3d 55 54 46 2d 38 26 6f 65 3d 55 54 0&ie=UTF-8&oe=UT
00b0 46 2d 38 26 66 65 61 74 75 72 65 73 3d 52 61 6e F-8&features=Ran
00c0 6b 3a 26 71 3d 69 6e 66 6f 3a 68 74 74 70 25 33 k:&q=info:http%3
00d0 41 25 32 46 25 32 46 70 75 62 6c 69 62 25 32 45 A%2F%2Fpublib%2E
00e0 62 6f 75 6c 64 65 72 25 32 45 69 62 6d 25 32 45 boulder%2Eibm%2E
00f0 63 6f 6d 25 32 46 69 6e 66 6f 63 65 6e 74 65 72 com%2Finfocenter
0100 25 32 46 63 6d 67 6d 74 25 32 46 76 38 72 33 6d %2Fcmgmt%2Fv8r3m
0110 30 25 32 46 69 6e 64 65 78 25 32 45 6a 73 70 25 0%2Findex%2Ejsp%
0120 33 46 74 6f 70 69 63 25 33 44 25 32 46 63 6f 6d 3Ftopic%3D%2Fcom
0130 25 32 45 69 62 6d 25 32 45 73 79 73 61 64 6d 69 %2Eibm%2Esysadmi
0140 6e 25 32 45 68 6c 70 25 32 46 6d 73 72 31 30 30 n%2Ehlp%2Fmsr100
0150 34 30 25 32 45 68 74 6d 26 63 68 3d 37 30 32 33 40%2Ehtm&ch=7023
0160 38 31 37 35 35 38 32 20 48 54 54 50 2f 31 2e 31 8175582 HTTP/1.1
0170 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f ..User-Agent: Mo
0180 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 zilla/4.0 (compa
0190 74 69 62 6c 65 3b 20 47 6f 6f 67 6c 65 54 6f 6f tible; GoogleToo
01a0 6c 62 61 72 20 33 2e 30 2e 31 32 35 2e 31 2d 62 lbar 3.0.125.1-b
01b0 69 67 3b 20 57 69 6e 64 6f 77 73 20 32 30 30 30 ig; Windows 2000
01c0 20 35 2e 30 29 0d 0a 48 6f 73 74 3a 20 74 6f 6f 5.0)..Host: too
01d0 6c 62 61 72 71 75 65 72 69 65 73 2e 67 6f 6f 67 lbarqueries.goog
01e0 6c 65 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 74 69 le.com..Connecti
01f0 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a on: Keep-Alive..
0200 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e Cache-Control: n
0210 6f 2d 63 61 63 68 65 0d 0a 43 6f 6f 6b 69 65 3a o-cache..Cookie:
0220 20 50 52 45 46 3d 49 44 3d 39 35 34 62 39 62 32 PREF=ID=954b9b2
0230 37 35 38 32 62 39 38 36 64 3a 54 42 3d 32 3a 4c 7582b986d:TB=2:L
0240 44 3d 65 6e 3a 4e 52 3d 35 30 3a 54 4d 3d 31 31 D=en:NR=50:TM=11
0250 32 38 30 31 31 37 33 38 3a 4c 4d 3d 31 31 32 38 28011738:LM=1128
0260 30 39 32 37 34 37 3a 47 4d 3d 31 3a 53 3d 44 35 092747:GM=1:S=D5
0270 59 63 73 30 6c 6d 63 35 72 35 51 65 46 4d 0d 0a Ycs0lmc5r5QeFM..
0280 0d 0a

I might be wrong if you want I could send you the whole conversation. =)

Best Regards,
Ryan Talabis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20051003/7c197c9d/attachment.html>


More information about the Snort-sigs mailing list