[Snort-users] OVERSIZE REQUEST-URI DIRECTORY outbound from my network

Will Button wbutton at ...13698...
Fri Feb 17 07:59:05 EST 2006


I've seen an increase in these directly related to the launch of our new
website, written in .Net 2.0.  I have not had the opportunity to inspect in
great detail what exactly is happening, since it appeared to be false alarms
related to our new site.  At first glance, it looks like some
encrypted/dotfuscated/hashed or otherwise mangled code that is being passed
to the client.

By chance, are the other URL's triggering your alarms .aspx? 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of CasperLinux
Sent: Friday, February 17, 2006 6:32 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] OVERSIZE REQUEST-URI DIRECTORY outbound from my
network

I admit I'm new at this security evaluation - at least in this detail.  I
asked a couple of days ago about the OVERSIZE REQUEST-URI DIRECTORY hits I
was getting from external to internal networks.  I posted the payload and
was advised (by Joel I believe) that this is evidence of "typical" virus
activity.  

However, since yesterday I have been seeing this same hit originating on my
family box (WinXP) and heading outbound.  In two separate views I see within
the payload data that makes me think they are legitimate transactions.
Below is the latest from this morning and is tied to a use by my daughter of
mapquest.  I'm gonna scan the heck out of that computer but can someone
explain this to me (or better yet - point me to a web reference where I can
read and learn some more) about this problem and what it really means?  I've
searched and simply can't find enough to understand what this is trying to
tell me.

000 : 47 45 54 20 2F 3F 65 3D 39 26 47 65 74 4D 61 70   GET /?e=9&GetMap
010 : 44 69 72 65 63 74 3D 47 6D 65 35 64 69 77 25 32   Direct=Gme5diw%2
020 : 63 62 25 33 61 39 75 31 32 25 33 62 25 34 30 25   cb%3a9u12%3b%40%
030 : 32 34 78 75 25 32 64 37 67 31 66 37 32 25 32 36   24xu%2d7g1f72%26
040 : 25 33 64 79 6E 25 32 31 7A 31 35 30 36 37 25 33   %3dyn%21z15067%3
050 : 61 39 36 25 34 30 61 6C 79 32 6E 39 25 34 30 79   a96%40aly2n9%40y
060 : 25 32 36 39 72 37 73 64 34 25 32 34 78 75 72 37   %269r7sd4%24xur7
070 : 6E 25 32 36 75 32 67 75 25 32 63 61 25 33 61 39   n%26u2gu%2ca%3a9
080 : 36 37 32 25 33 62 25 34 30 62 32 30 30 25 32 34   672%3b%40b200%24
090 : 25 33 61 25 32 36 25 34 30 25 32 34 78 75 25 32   %3a%26%40%24xu%2
0a0 : 64 37 61 39 79 37 32 25 32 36 25 33 64 79 6E 25   d7a9y72%26%3dyn%
0b0 : 32 31 7A 7A 73 39 36 37 25 33 61 25 32 36 25 34   21zzs967%3a%26%4
0c0 : 30 32 32 75 36 25 32 61 25 33 61 6C 36 74 78 25   022u6%2a%3al6tx%
0d0 : 32 36 25 34 30 25 32 34 25 33 61 25 32 36 61 37   26%40%24%3a%26a7
0e0 : 25 32 36 75 66 74 67 75 36 25 32 34 25 32 65 35   %26uftgu6%24%2e5
0f0 : 75 25 34 30 67 31 61 32 32 75 25 34 30 25 32 34   u%40g1a22u%40%24
100 : 25 33 61 39 34 74 77 25 33 62 75 25 32 34 6E 64   %3a94tw%3bu%24nd
110 : 7A 37 25 32 36 31 25 32 63 62 73 35 72 25 32 34   z7%261%2cbs5r%24
120 : 25 33 61 25 32 36 75 7A 32 25 32 36 75 7A 32 30   %3a%26uz2%26uz20
130 : 72 38 78 71 25 34 30 32 30 30 25 34 30 25 32 34   r8xq%40200%40%24
140 : 6E 64 77 37 25 32 36 31 25 32 63 79 35 25 32 36   ndw7%261%2cy5%26
150 : 77 25 32 34 78 75 36 74 6E 64 25 34 30 25 35 66   w%24xu6tnd%40%5f
160 : 67 39 7A 7A 73 31 25 34 30 25 35 66 6C 25 32 36   g9zzs1%40%5fl%26
170 : 36 25 32 34 25 32 65 68 25 34 30 25 35 66 77 25   6%24%2eh%40%5fw%
180 : 32 36 25 33 64 61 25 33 61 75 25 34 30 25 35 66   26%3da%3au%40%5f
190 : 30 25 32 36 25 33 64 32 25 33 61 25 32 39 75 7A   0%26%3d2%3a%29uz
1a0 : 25 33 61 25 32 39 79 25 32 34 6E 25 32 36 25 33   %3a%29y%24n%26%3
1b0 : 64 61 25 33 61 67 25 34 30 25 35 66 6E 67 25 34   da%3ag%40%5fng%4
1c0 : 30 61 25 33 61 25 32 39 77 25 32 34 32 25 32 36   0a%3a%29w%242%26
1d0 : 25 33 64 32 25 33 61 71 25 34 30 25 35 66 30 25   %3d2%3aq%40%5f0%
1e0 : 32 36 61 25 32 34 25 32 65 64 25 34 30 74 25 33   26a%24%2ed%40t%3
1f0 : 61 25 32 39 75 37 25 33 61 39 25 34 30 25 35 66   a%29u7%3a9%40%5f
200 : 6C 25 32 36 61 74 25 33 61 25 32 39 34 31 25 33   l%26at%3a%2941%3
210 : 61 39 25 34 30 25 35 66 78 25 32 36 75 25 32 34   a9%40%5fx%26u%24
220 : 25 32 65 31 25 34 30 62 25 33 61 25 32 39 66 25   %2e1%40b%3a%29f%
230 : 32 34 6C 25 32 36 25 33 64 32 6C 25 32 36 36 25   24l%26%3d2l%266%
240 : 32 34 25 32 65 39 36 25 32 34 32 25 32 36 25 33   24%2e96%242%26%3
250 : 64 32 25 33 61 6C 25 34 30 25 35 66 73 75 25 34   d2%3al%40%5fsu%4
260 : 30 37 25 33 61 25 32 39 77 25 32 34 6E 25 32 36   07%3a%29w%24n%26
270 : 25 33 64 79 25 33 61 39 25 34 30 25 35 66 6E 75   %3dy%3a9%40%5fnu
280 : 25 34 30 37 25 33 61 25 32 39 30 25 32 34 6E 25   %407%3a%290%24n%
290 : 32 36 25 33 64 32 78 25 32 36 61 25 32 34 25 32   26%3d2x%26a%24%2
2a0 : 65 6C 61 25 32 34 32 25 32 36 25 33 64 32 25 33   ela%242%26%3d2%3
2b0 : 61 31 25 34 30 25 35 66 6E 67 25 34 30 37 25 33   a1%40%5fng%407%3
2c0 : 61 25 32 39 61 25 32 34 6E 25 32 36 25 33 64 32   a%29a%24n%26%3d2
2d0 : 6E 25 32 36 36 25 32 34 25 32 65 31 25 34 30 72   n%266%24%2e1%40r
2e0 : 25 33 61 25 32 39 61 74 25 33 61 75 25 34 30 25   %3a%29at%3au%40%
2f0 : 35 66 6E 25 32 36 61 25 32 34 25 32 65 31 34 25   5fn%26a%24%2e14%
300 : 32 34 32 25 32 36 25 33 64 62 25 33 61 31 25 34   242%26%3db%3a1%4
310 : 30 25 35 66 6E 68 25 34 30 37 25 33 61 25 32 39   0%5fnh%407%3a%29
320 : 75 25 32 34 6E 25 32 36 25 33 64 32 32 25 32 36   u%24n%26%3d22%26
330 : 30 25 32 34 25 32 65 30 25 34 30 38 25 33 61 25   0%24%2e0%408%3a%
340 : 32 39 75 37 25 33 61 6C 25 34 30 25 35 66 30 25   29u7%3al%40%5f0%
350 : 32 36 30 25 32 34 25 32 65 39 25 34 30 32 25 33   260%24%2e9%402%3
360 : 61 25 32 39 75 25 32 34 67 25 32 36 25 33 64 74   a%29u%24g%26%3dt
370 : 25 33 61 64 25 34 30 25 35 66 6C 25 32 36 77 25   %3ad%40%5fl%26w%
380 : 32 34 25 32 65 39 25 34 30 32 32 25 32 36 25 33   24%2e9%4022%26%3
390 : 64 32 25 33 61 39 25 34 30 37 25 33 61 31 25 34   d2%3a9%407%3a1%4
3a0 : 30 37 25 33 61 39 75 25 32 34 25 32 65 39 25 34   07%3a9u%24%2e9%4
3b0 : 30 32 6E 25 32 36 36 25 32 34 6E 30 25 34 30 37   02n%266%24n0%407
3c0 : 25 33 61 31 36 25 32 34 32 25 32 36 30 25 32 34   %3a16%242%260%24
3d0 : 32 25 32 36 75 7A 25 33 61 25 32 39 75 25 32 34   2%26uz%3a%29u%24
3e0 : 6E 71 25 34 30 37 25 33 61 31 25 34 30 37 25 33   nq%407%3a1%407%3
3f0 : 61 6C 77 25 32 34 32 25 32 36 75 25 32 34 32 25   alw%242%26u%242%
400 : 32 36 75 32 25 33 61 25 32 39 75 25 32 34 6C 25   26u2%3a%29u%24l%
410 : 32 36 36 25 32 34 6E 6C 25 34 30 37 25 33 61 25   266%24nl%407%3a%
420 : 32 39 61 25 32 34 25 32 65 64 25 34 30 25 35 66   29a%24%2ed%40%5f
430 : 6E 25 32 36 25 33 64 62 25 33 61 75 25 34 30 25   n%26%3db%3au%40%
440 : 35 66 6E 25 32 36 25 33 64 32 25 33 61 25 32 39   5fn%26%3d2%3a%29
450 : 30 25 32 34 25 32 65 39 25 34 30 25 35 66 77 25   0%24%2e9%40%5fw%
460 : 32 36 36 25 32 34 25 32 65 39 25 34 30 37 25 33   266%24%2e9%407%3
470 : 61 25 32 39 30 25 32 34 32 25 32 36 25 33 64 7A   a%290%242%26%3dz
480 : 25 33 61 75 25 34 30 25 35 66 6C 25 32 36 36 25   %3au%40%5fl%266%
490 : 32 34 25 32 65 39 30 25 32 34 32 25 32 36 25 33   24%2e90%242%26%3
4a0 : 64 61 25 33 61 25 32 39 75 25 32 34 25 32 65 71   da%3a%29u%24%2eq
4b0 : 7A 25 32 34 32 25 32 36 25 33 64 62 25 33 61 75   z%242%26%3db%3au
4c0 : 25 34 30 25 35 66 6C 31 25 34 30 37 25 33 61 25   %40%5fl1%407%3a%
4d0 : 32 39 30 25 32 34 32 25 32 36 25 33 64 61 78 25   290%242%26%3dax%
4e0 : 32 36 75 72 25 33 61 25 32 39 75 25 32 34 32 25   26ur%3a%29u%242%
4f0 : 32 36 7A 25 32 34 6C 25 32 36 30 25 32 34 6C 25   26z%24l%260%24l%
500 : 32 36 36 25 32 34 6E 64 34 37 25 37 63 75 25 34   266%24nd47%7cu%4
510 : 30 32 35 75 36 25 34 30 6C 25 33 62 25 34 30 7A   025u6%40l%3b%40z
520 : 61 75 61 25 32 34 25 33 61 20 48 54 54 50 2F 31   aua%24%3a HTTP/1
530 : 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D   .1..Accept: */*.
540 : 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A 2F   .Referer: http:/
550 : 2F 77 77 77 2E 6D 61 70 71 75 65 73 74 2E 63 6F   /www.mapquest.co
560 : 6D 2F 64 69 72 65 63 74 69 6F 6E 73 2F 6D 61 69   m/directions/mai
570 : 6E 2E 61 64 70 3F 67 6F 3D 31 26 64 6F 3D 6E 77   n.adp?go=1&do=nw
580 : 26 72 6D 6D 3D 31 26 31 67 69 3D 30 26 75 6E 3D   &rmm=1&1gi=0&un=
590 : 6D 26 31 64 61 3D 2D 31 2E 30 30 30 30 30 30 26   m&1da=-1.000000&
5a0 : 31 72 63 3D 4C 31 41 41 41 26 63 6C 3D 45 4E 26   1rc=L1AAA&cl=EN&
5b0 : 63 74 3D 4E                                       ct=N


--
Don
- Powered by Debian Linux - 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4591 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060217/eb0a7220/attachment.bin>


More information about the Snort-users mailing list