[Snort-users] OVERSIZE REQUEST-URI DIRECTORY outbound from my network

East, Bill eastb at ...3694...
Wed Feb 22 06:38:03 EST 2006


With DotNet it's very likely that the code is generating a long and
complicated "viewstate" ID which is getting embedded in your URLs. For
example, in an online banking app I use, a partial viewstate is

PDtsPGk8MD47aTwzPjtpPDQ+O2k8NT47aTw2Pjs+O2w8dDxwPGw8VmlzaWJsZTs+O2w8bzxm
Pjs+Pjs7Pjt0PHA8cDxsPEJhY2tDb2xvcjtfIVNCO1Zpc2libGU7PjtsPDI8MjU1LCAyNTUs
IDI1NT47aTw4PjtvPHQ+Oz4+Oz47bDxpPDA+O2k8MT47PjtsPHQ8cDxsPGJnY29sb3I7Pjts
P

(that's less than half of it)...

So IIS servers, which previously were vulnerable to attacks based on
very long URLs, are now almost guaranteed to receive them. Welcome to
the world of the future.

-- 
be - MOS

Logic doesn't apply to the real world.  --Marvin Minsky
 

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Will Button
> Sent: Friday, February 17, 2006 10:58 AM
> To: CasperLinux; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] OVERSIZE REQUEST-URI DIRECTORY 
> outbound from my network
> 
> I've seen an increase in these directly related to the launch 
> of our new website, written in .Net 2.0.  I have not had the 
> opportunity to inspect in great detail what exactly is 
> happening, since it appeared to be false alarms related to 
> our new site.  At first glance, it looks like some 
> encrypted/dotfuscated/hashed or otherwise mangled code that 
> is being passed to the client.
> 
> By chance, are the other URL's triggering your alarms .aspx? 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> CasperLinux
> Sent: Friday, February 17, 2006 6:32 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] OVERSIZE REQUEST-URI DIRECTORY 
> outbound from my network
> 
> I admit I'm new at this security evaluation - at least in 
> this detail.  I asked a couple of days ago about the OVERSIZE 
> REQUEST-URI DIRECTORY hits I was getting from external to 
> internal networks.  I posted the payload and was advised (by 
> Joel I believe) that this is evidence of "typical" virus activity.  
> 
> However, since yesterday I have been seeing this same hit 
> originating on my family box (WinXP) and heading outbound.  
> In two separate views I see within the payload data that 
> makes me think they are legitimate transactions.
> Below is the latest from this morning and is tied to a use by 
> my daughter of mapquest.  I'm gonna scan the heck out of that 
> computer but can someone explain this to me (or better yet - 
> point me to a web reference where I can read and learn some 
> more) about this problem and what it really means?  I've 
> searched and simply can't find enough to understand what this 
> is trying to tell me.
> 
> 000 : 47 45 54 20 2F 3F 65 3D 39 26 47 65 74 4D 61 70   GET 
> /?e=9&GetMap
> 010 : 44 69 72 65 63 74 3D 47 6D 65 35 64 69 77 25 32   
> Direct=Gme5diw%2
> 020 : 63 62 25 33 61 39 75 31 32 25 33 62 25 34 30 25   
> cb%3a9u12%3b%40%
> 030 : 32 34 78 75 25 32 64 37 67 31 66 37 32 25 32 36   
> 24xu%2d7g1f72%26
> 040 : 25 33 64 79 6E 25 32 31 7A 31 35 30 36 37 25 33   
> %3dyn%21z15067%3
> 050 : 61 39 36 25 34 30 61 6C 79 32 6E 39 25 34 30 79   
> a96%40aly2n9%40y
> 060 : 25 32 36 39 72 37 73 64 34 25 32 34 78 75 72 37   
> %269r7sd4%24xur7
> 070 : 6E 25 32 36 75 32 67 75 25 32 63 61 25 33 61 39   
> n%26u2gu%2ca%3a9
> 080 : 36 37 32 25 33 62 25 34 30 62 32 30 30 25 32 34   
> 672%3b%40b200%24
> 090 : 25 33 61 25 32 36 25 34 30 25 32 34 78 75 25 32   
> %3a%26%40%24xu%2
> 0a0 : 64 37 61 39 79 37 32 25 32 36 25 33 64 79 6E 25   
> d7a9y72%26%3dyn%
> 0b0 : 32 31 7A 7A 73 39 36 37 25 33 61 25 32 36 25 34   
> 21zzs967%3a%26%4
> 0c0 : 30 32 32 75 36 25 32 61 25 33 61 6C 36 74 78 25   
> 022u6%2a%3al6tx%
> 0d0 : 32 36 25 34 30 25 32 34 25 33 61 25 32 36 61 37   
> 26%40%24%3a%26a7
> 0e0 : 25 32 36 75 66 74 67 75 36 25 32 34 25 32 65 35   
> %26uftgu6%24%2e5
> 0f0 : 75 25 34 30 67 31 61 32 32 75 25 34 30 25 32 34   
> u%40g1a22u%40%24
> 100 : 25 33 61 39 34 74 77 25 33 62 75 25 32 34 6E 64   
> %3a94tw%3bu%24nd
> 110 : 7A 37 25 32 36 31 25 32 63 62 73 35 72 25 32 34   
> z7%261%2cbs5r%24
> 120 : 25 33 61 25 32 36 75 7A 32 25 32 36 75 7A 32 30   
> %3a%26uz2%26uz20
> 130 : 72 38 78 71 25 34 30 32 30 30 25 34 30 25 32 34   
> r8xq%40200%40%24
> 140 : 6E 64 77 37 25 32 36 31 25 32 63 79 35 25 32 36   
> ndw7%261%2cy5%26
> 150 : 77 25 32 34 78 75 36 74 6E 64 25 34 30 25 35 66   
> w%24xu6tnd%40%5f
> 160 : 67 39 7A 7A 73 31 25 34 30 25 35 66 6C 25 32 36   
> g9zzs1%40%5fl%26
> 170 : 36 25 32 34 25 32 65 68 25 34 30 25 35 66 77 25   
> 6%24%2eh%40%5fw%
> 180 : 32 36 25 33 64 61 25 33 61 75 25 34 30 25 35 66   
> 26%3da%3au%40%5f
> 190 : 30 25 32 36 25 33 64 32 25 33 61 25 32 39 75 7A   
> 0%26%3d2%3a%29uz
> 1a0 : 25 33 61 25 32 39 79 25 32 34 6E 25 32 36 25 33   
> %3a%29y%24n%26%3
> 1b0 : 64 61 25 33 61 67 25 34 30 25 35 66 6E 67 25 34   
> da%3ag%40%5fng%4
> 1c0 : 30 61 25 33 61 25 32 39 77 25 32 34 32 25 32 36   
> 0a%3a%29w%242%26
> 1d0 : 25 33 64 32 25 33 61 71 25 34 30 25 35 66 30 25   
> %3d2%3aq%40%5f0%
> 1e0 : 32 36 61 25 32 34 25 32 65 64 25 34 30 74 25 33   
> 26a%24%2ed%40t%3
> 1f0 : 61 25 32 39 75 37 25 33 61 39 25 34 30 25 35 66   
> a%29u7%3a9%40%5f
> 200 : 6C 25 32 36 61 74 25 33 61 25 32 39 34 31 25 33   
> l%26at%3a%2941%3
> 210 : 61 39 25 34 30 25 35 66 78 25 32 36 75 25 32 34   
> a9%40%5fx%26u%24
> 220 : 25 32 65 31 25 34 30 62 25 33 61 25 32 39 66 25   
> %2e1%40b%3a%29f%
> 230 : 32 34 6C 25 32 36 25 33 64 32 6C 25 32 36 36 25   
> 24l%26%3d2l%266%
> 240 : 32 34 25 32 65 39 36 25 32 34 32 25 32 36 25 33   
> 24%2e96%242%26%3
> 250 : 64 32 25 33 61 6C 25 34 30 25 35 66 73 75 25 34   
> d2%3al%40%5fsu%4
> 260 : 30 37 25 33 61 25 32 39 77 25 32 34 6E 25 32 36   
> 07%3a%29w%24n%26
> 270 : 25 33 64 79 25 33 61 39 25 34 30 25 35 66 6E 75   
> %3dy%3a9%40%5fnu
> 280 : 25 34 30 37 25 33 61 25 32 39 30 25 32 34 6E 25   
> %407%3a%290%24n%
> 290 : 32 36 25 33 64 32 78 25 32 36 61 25 32 34 25 32   
> 26%3d2x%26a%24%2
> 2a0 : 65 6C 61 25 32 34 32 25 32 36 25 33 64 32 25 33   
> ela%242%26%3d2%3
> 2b0 : 61 31 25 34 30 25 35 66 6E 67 25 34 30 37 25 33   
> a1%40%5fng%407%3
> 2c0 : 61 25 32 39 61 25 32 34 6E 25 32 36 25 33 64 32   
> a%29a%24n%26%3d2
> 2d0 : 6E 25 32 36 36 25 32 34 25 32 65 31 25 34 30 72   
> n%266%24%2e1%40r
> 2e0 : 25 33 61 25 32 39 61 74 25 33 61 75 25 34 30 25   
> %3a%29at%3au%40%
> 2f0 : 35 66 6E 25 32 36 61 25 32 34 25 32 65 31 34 25   
> 5fn%26a%24%2e14%
> 300 : 32 34 32 25 32 36 25 33 64 62 25 33 61 31 25 34   
> 242%26%3db%3a1%4
> 310 : 30 25 35 66 6E 68 25 34 30 37 25 33 61 25 32 39   
> 0%5fnh%407%3a%29
> 320 : 75 25 32 34 6E 25 32 36 25 33 64 32 32 25 32 36   
> u%24n%26%3d22%26
> 330 : 30 25 32 34 25 32 65 30 25 34 30 38 25 33 61 25   
> 0%24%2e0%408%3a%
> 340 : 32 39 75 37 25 33 61 6C 25 34 30 25 35 66 30 25   
> 29u7%3al%40%5f0%
> 350 : 32 36 30 25 32 34 25 32 65 39 25 34 30 32 25 33   
> 260%24%2e9%402%3
> 360 : 61 25 32 39 75 25 32 34 67 25 32 36 25 33 64 74   
> a%29u%24g%26%3dt
> 370 : 25 33 61 64 25 34 30 25 35 66 6C 25 32 36 77 25   
> %3ad%40%5fl%26w%
> 380 : 32 34 25 32 65 39 25 34 30 32 32 25 32 36 25 33   
> 24%2e9%4022%26%3
> 390 : 64 32 25 33 61 39 25 34 30 37 25 33 61 31 25 34   
> d2%3a9%407%3a1%4
> 3a0 : 30 37 25 33 61 39 75 25 32 34 25 32 65 39 25 34   
> 07%3a9u%24%2e9%4
> 3b0 : 30 32 6E 25 32 36 36 25 32 34 6E 30 25 34 30 37   
> 02n%266%24n0%407
> 3c0 : 25 33 61 31 36 25 32 34 32 25 32 36 30 25 32 34   
> %3a16%242%260%24
> 3d0 : 32 25 32 36 75 7A 25 33 61 25 32 39 75 25 32 34   
> 2%26uz%3a%29u%24
> 3e0 : 6E 71 25 34 30 37 25 33 61 31 25 34 30 37 25 33   
> nq%407%3a1%407%3
> 3f0 : 61 6C 77 25 32 34 32 25 32 36 75 25 32 34 32 25   
> alw%242%26u%242%
> 400 : 32 36 75 32 25 33 61 25 32 39 75 25 32 34 6C 25   
> 26u2%3a%29u%24l%
> 410 : 32 36 36 25 32 34 6E 6C 25 34 30 37 25 33 61 25   
> 266%24nl%407%3a%
> 420 : 32 39 61 25 32 34 25 32 65 64 25 34 30 25 35 66   
> 29a%24%2ed%40%5f
> 430 : 6E 25 32 36 25 33 64 62 25 33 61 75 25 34 30 25   
> n%26%3db%3au%40%
> 440 : 35 66 6E 25 32 36 25 33 64 32 25 33 61 25 32 39   
> 5fn%26%3d2%3a%29
> 450 : 30 25 32 34 25 32 65 39 25 34 30 25 35 66 77 25   
> 0%24%2e9%40%5fw%
> 460 : 32 36 36 25 32 34 25 32 65 39 25 34 30 37 25 33   
> 266%24%2e9%407%3
> 470 : 61 25 32 39 30 25 32 34 32 25 32 36 25 33 64 7A   
> a%290%242%26%3dz
> 480 : 25 33 61 75 25 34 30 25 35 66 6C 25 32 36 36 25   
> %3au%40%5fl%266%
> 490 : 32 34 25 32 65 39 30 25 32 34 32 25 32 36 25 33   
> 24%2e90%242%26%3
> 4a0 : 64 61 25 33 61 25 32 39 75 25 32 34 25 32 65 71   
> da%3a%29u%24%2eq
> 4b0 : 7A 25 32 34 32 25 32 36 25 33 64 62 25 33 61 75   
> z%242%26%3db%3au
> 4c0 : 25 34 30 25 35 66 6C 31 25 34 30 37 25 33 61 25   
> %40%5fl1%407%3a%
> 4d0 : 32 39 30 25 32 34 32 25 32 36 25 33 64 61 78 25   
> 290%242%26%3dax%
> 4e0 : 32 36 75 72 25 33 61 25 32 39 75 25 32 34 32 25   
> 26ur%3a%29u%242%
> 4f0 : 32 36 7A 25 32 34 6C 25 32 36 30 25 32 34 6C 25   
> 26z%24l%260%24l%
> 500 : 32 36 36 25 32 34 6E 64 34 37 25 37 63 75 25 34   
> 266%24nd47%7cu%4
> 510 : 30 32 35 75 36 25 34 30 6C 25 33 62 25 34 30 7A   
> 025u6%40l%3b%40z
> 520 : 61 75 61 25 32 34 25 33 61 20 48 54 54 50 2F 31   
> aua%24%3a HTTP/1
> 530 : 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D   
> .1..Accept: */*.
> 540 : 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A 2F   
> .Referer: http:/
> 550 : 2F 77 77 77 2E 6D 61 70 71 75 65 73 74 2E 63 6F   
> /www.mapquest.co
> 560 : 6D 2F 64 69 72 65 63 74 69 6F 6E 73 2F 6D 61 69   
> m/directions/mai
> 570 : 6E 2E 61 64 70 3F 67 6F 3D 31 26 64 6F 3D 6E 77   
> n.adp?go=1&do=nw
> 580 : 26 72 6D 6D 3D 31 26 31 67 69 3D 30 26 75 6E 3D   
> &rmm=1&1gi=0&un=
> 590 : 6D 26 31 64 61 3D 2D 31 2E 30 30 30 30 30 30 26   
> m&1da=-1.000000&
> 5a0 : 31 72 63 3D 4C 31 41 41 41 26 63 6C 3D 45 4E 26   
> 1rc=L1AAA&cl=EN&
> 5b0 : 63 74 3D 4E                                       ct=N
> 
> 
> --
> Don
> - Powered by Debian Linux - 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep 
> through log files for problems?  Stop!  Download the new AJAX 
> search engine that makes searching your log files as easy as 
> surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&
> dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list