GROUP_NAME=WEBLOGIC
GROUP_DESCRIPTION=These sigs detect unusual, possibly malicious WebLogic application server queries/traffic.  NOTE: This library currently uses the 'W' COMPLEX rule to watch for traffic on known Web ports.  However, this is sub-optimal: often WebLogic servers run on alternate ports such as 5000, 7001, etc, so these signatures will not monitor the right traffic.  Some of these signatures are likely to false-positive on generic Web traffic, whereas if they were watching purely WebLogic sessions, their false positive rate would be very low; those signatures are currently disabled (re-enable them only after assigning them to a WebLogic-specific COMPLEX rule).
# $Id: WEBLOGIC.lib,v 1.3 2006/05/19 15:10:31 hlein Exp $

NAME=WEBLOGIC:DIR
SIGNATURE=T D A S 4 20 W WEBLOGIC:DIR get/20/2f , /2f/20http/2f
DESCRIPTION=This sig is *disabled*, because it will false positive too much on regular web traffic; assign a specific COMPLEX rule for WebLogic traffic before you re-enable it.  This signature triggers whenever a directory listing is requested from the WebLogic server.  This should never happen in normal operation, and may be a sign of an attacker attempting to discover the layout of the site.  Note that sometimes developers will browse a back-end WebLogic application server directly, which may set off false positives of this event.
MODIFIED=Y
DISABLED=Y

NAME=WEBLOGIC:TEMPLATES
SIGNATURE=T D A S 1 30 W WEBLOGIC:TEMPLATES /2ftemplates/2f
DESCRIPTION=This sig is *disabled*, because it will false positive too much on regular web traffic; assign a specific COMPLEX rule for WebLogic traffic before you re-enable it.  This signature triggers whenever a URL is requested from WebLogic which contains '/templates/'.  This path element should be implied by the WebLogic servers for all JSP pages--it should never appear literally in queries, unless applications are misconfigured to have non-JSP content "misplaced" under the /templates/ tree).  This may be a sign of an attacker exploiting a showcode bug, or attempting to explore the WebLogic server setup.
MODIFIED=Y
DISABLED=Y

NAME=WEBLOGIC:SHOWCODE-FILE
SIGNATURE=T D A S 3 80 W WEBLOGIC:SHOWCODE-FILE /2ffile/2f
DESCRIPTION=This sig is *disabled*, because it will false positive too much on regular web traffic; assign a specific COMPLEX rule for WebLogic traffic before you re-enable it.  There is a known flaw in the WebLogic configuration shipped by BEA whereby adding '/file/' to a request for a .jsp will download the source code for that page, rather than execute it.  This was the first of a series of 'showcode' vulnerabilities discovered with WebLogic.
MODIFIED=Y
DISABLED=Y

NAME=BLUEMARTINI:BMEXCEPTION
SIGNATURE=T S A S 20 0 W BLUEMARTINI:BMEXCEPTION bmexception
DESCRIPTION=By default, any of a number of internal WebLogic errors may throw a verbose error page to the user.  These errors may have been triggered by an attacker attempting to manipulate the server, or by an (innocent, but still harmful) internal error within the application.  This signature detects an outbound error message from the Blue Martini software (running on WebLogic or WebSphere) by the characteristic 'bmexception' text in the error.  Of course, this will not be seen if you've configured an alternate, generic error message, which is recommended.
MODIFIED=Y
DISABLED=N

NAME=WEBLOGIC:STACKTRACE
SIGNATURE=T S A S 20 0 W WEBLOGIC:STACKTRACE stack/20trace:
DESCRIPTION=By default, any of a number of internal WebLogic errors may throw a verbose error page to the user.  These errors may have been triggered by an attacker attempting to manipulate the WebLogic server, or by an (innocent, but still harmful) internal error within the application.  This signature detects an outbound error message by the characteristic 'Stack trace' text in the error.  Of course, this will not be seen if you've configured an alternate, generic error message, which is recommended.
MODIFIED=Y
DISABLED=N

NAME=WEBLOGIC:ERRORMSG
SIGNATURE=T S A B 10 150 W WEBLOGIC:ERRORMSG /3ctitle/3eAn/20Error/20Has/20Occured/3c/2ftitle/3e
DESCRIPTION=By default, any of a number of internal WebLogic errors may throw a verbose error page to the user.  These errors may have been triggered by an attacker attempting to manipulate the WebLogic server, or by an (innocent, but still harmful) internal error within the application.  This signature detects an outbound page with the title "An Error Has Occurred".  Of course, this will not be seen if you've configured an alternate, generic error message, which is recommended.
MODIFIED=Y
DISABLED=N

NAME=WEBLOGIC:JSPSOURCE
SIGNATURE=T S A B 60 0 W WEBLOGIC:JSPSOURCE /3c/25 , /0a/25/3e
DESCRIPTION=There have been a number of 'showcode' vulnerabilities in WebLogic which allow an attacker to download raw JSP source code rather than having the server execute compiled code.  This signature attempts to detect outbound JSP source code by seeing '<%' followed by '\n%>' in the output stream.  Note that if a WebLogic server is serving binary image files, this signature may trigger false positives on GIF and JPG files.  The '\n' is an attempt to suppress false positives, although it may actually cause this signature to fail to detect accesses of JSP code which does not match this pattern exactly.
MODIFIED=Y
DISABLED=N