[Snort-sigs] FP on SID 16409;rev:1;

Jason Haar Jason.Haar at ...651...
Thu Apr 8 20:16:55 EDT 2010

We just had this trigger when a user access an Asian webapp. I guess the
unicode chars got confused with an exploit attempt?

Attached is an ASCII dump of the URI. I can get you the pcap if you
want. This is on a system


GET /segment/dict.php?request=%3Cservice%3E%09%3Cclass%3E11%3C%2Fclass%3E%09%3Citem%3E%09%09%3Cdata%3E1104%20-%20%E7%BB%B4%E6%BF%80%E5%85%89%E6%89%AB%E6%8F%8F%E6%8A%80%E6%9C%AF%E5%9C%A8%E5%9C%B0%E9%93%81%E6%96%BD%E5%B7%A5%E8%B0%83%E7%BA%BF%E8%B0%83%E5%9D%A1%E4%B8%AD%E7%9A%84%E5%BA%94%E7%94%A8_%E5%AE%8B%E5%BE%B7%E5%8F%8B%20.ppt%3C%2Fdata%3E%09%09%3Cflag%3E7%3C%2Fflag%3E%09%09%3Cmemo%3E2%3C%2Fmemo%3E%09%3C%2Fitem%3E%20%20%3Cdictid%3E1%7C3%7C%3C%2Fdictid%3E%09%3Csecond%3E1%3C%2Fsecond%3E%3C%2Fservice%3E&cc=16519d2763a6bb09f35a013e42c9651d&t=11 HTTP/1.0
User-Agent: CBNetDataSet
Host: segment.pw08.iciba.com
Cache-Control: max-age=259200
Via: 1.0 PROXY
Connection: close


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list