[Snort-sigs] FP on SID 16409;rev:1;

Alex Kirk akirk at ...435...
Thu Apr 8 23:10:36 EDT 2010


A PCAP would be great. We recently found some issues with Asian character
sets in URLs that have been fixed in the 2.8.6 beta, and I'd love to test
this out against those fixes to ensure that it works.

On Thu, Apr 8, 2010 at 8:16 PM, Jason Haar <Jason.Haar at ...651...> wrote:

> We just had this trigger when a user access an Asian webapp. I guess the
> unicode chars got confused with an exploit attempt?
>
> Attached is an ASCII dump of the URI. I can get you the pcap if you
> want. This is on a 2.8.5.2 system
>
>
>
> GET
> /segment/dict.php?request=%3Cservice%3E%09%3Cclass%3E11%3C%2Fclass%3E%09%3Citem%3E%09%09%3Cdata%3E1104%20-%20%E7%BB%B4%E6%BF%80%E5%85%89%E6%89%AB%E6%8F%8F%E6%8A%80%E6%9C%AF%E5%9C%A8%E5%9C%B0%E9%93%81%E6%96%BD%E5%B7%A5%E8%B0%83%E7%BA%BF%E8%B0%83%E5%9D%A1%E4%B8%AD%E7%9A%84%E5%BA%94%E7%94%A8_%E5%AE%8B%E5%BE%B7%E5%8F%8B%20.ppt%3C%2Fdata%3E%09%09%3Cflag%3E7%3C%2Fflag%3E%09%09%3Cmemo%3E2%3C%2Fmemo%3E%09%3C%2Fitem%3E%20%20%3Cdictid%3E1%7C3%7C%3C%2Fdictid%3E%09%3Csecond%3E1%3C%2Fsecond%3E%3C%2Fservice%3E&cc=16519d2763a6bb09f35a013e42c9651d&t=11
> HTTP/1.0
> User-Agent: CBNetDataSet
> Host: segment.pw08.iciba.com
> Cache-Control: max-age=259200
> Via: 1.0 PROXY
> Connection: close
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100408/e4e9d5f4/attachment.html>


More information about the Snort-sigs mailing list