[Snort-sigs] FP for EXPLOIT Oracle BEA WebLogic overlong JESSIONID buffer overflow attempt sid 15477

Russell Fulton r.fulton at ...575...
Wed Apr 29 20:23:38 EDT 2009


relevant match:uricontent:"JSESSIONID"; pcre:"/JESSIONID|3e|[^ 
\x20\x26\x0a]{300}/smiU";

I'm confused (so what's new ;)  I can't see how this pattern matched  
this packet.
The |3e| should not have matched.

Also there is no JSESSIONID in the uri, it is in the cookie.

What am I missing.

Russell


DATA	

HEAD /cgi-bin/Pwebrecon.cgi?SC=Author&SEQ=20090425175909&PID
=PXvCgSSxGBoDK2s17HLtjU4HkNOn&SA=Compan..i..a+de+Fomento+Cin
ematogra..fico+(Colombia) HTTP/1.0..User-Agent: Opera/9.62 (
Windows NT 5.1; U; en)..Host: voyager.auckland.ac.nz..Accept
: text/html, application/xml;q=0.9, application/xhtml+xml, i
mage/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1.
.Accept-Language: en..Accept-Charset: iso-8859-1, utf-8, utf
-16, *;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identi
ty, *;q=0..Referer: http://voyager.auckland.ac.nz..Cookie: J
SESSIONID=ba30b14653a05ef72317; CGISESSID=2ebecc78e694677733
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                               <<<<<<<<






More information about the Snort-sigs mailing list