about 'WEB-MISC weblogic/tomcat .jsp view source attempt'

[강명훈 <mhkang589 () gmail com>]

Hi. all.
I have a question.

*alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS *

*(msg:"WEB-MISC weblogic/tomcat .jsp view source attempt"; *

*flow:to_server,established;*

*content:".jsp"; nocase; http_uri;*

*pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi";*

*metadata:releset community, service http; reference:bugtraq,2527;
classtype:web-application-attack; sid:1054; rev:14;)*

Regex(*^\w+\s+[^\n\s\?]*\.jsp*) of that rule matched following patterens
only.

*GET
/web/20031202153402/http://www.gartner.com/5_about/press_releases/pr2003.jsp
<http://www.gartner.com/5_about/press_releases/pr2003.jsp>*

But the rule makes following log because of the negative option(*!*)

*GET
/wlo/Logging?dv=805417762|ver=1.0.0|sid=card|r=http://card.co.kr/app/index.jsp
<http://card.co.kr/app/index.jsp>*

I think that erase the negative option(*!*)
Is it correct?

-- 

*kangmyounghun.blogspot.kr <http://kangmyounghun.blogspot.kr/>*
*kr.linkedin.com/pub/myounghun-kang/74/238/93a*
<http://kr.linkedin.com/pub/myounghun-kang/74/238/93a>

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!