id: weblogic-t3-detect

info:
  name: Weblogic T3 Protocol Detection
  author: F1tz,milo2012,wdahlenb
  severity: info
  description: |
    T3 is the protocol used to transport information between WebLogic servers and other types of Java programs.
  impact: |
    May indicate potential exposure to Weblogic T3 Protocol vulnerabilities
  remediation: |
    Ensure proper configuration and security measures are in place for Weblogic T3 Protocol
  metadata:
    max-request: 2
  tags: network,weblogic,detect,t3,oracle,detection,tcp

tcp:
  - inputs:
      - data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n"
    host:
      - "{{Hostname}}"
    port: 7001
    read-size: 1024
    matchers:
      - type: word
        words:
          - "HELO"

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - "HELO:(.*).false"

  - inputs:
      - data: "t3s 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n"
    host:
      - "tls://{{Hostname}}"
    read-size: 1024
    port: 7002
    matchers:
      - type: word
        words:
          - "HELO"

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - "HELO:(.*).false"
# digest: 4a0a0047304502206aa8d17452e0910cd8b6f0b9c5d80010f68f4178a348f0e6bd6111a2071dc17f022100babdddf3e2e8d2930706381100256d8322bb98475be645b56072e310a361cb33:922c64590222798bb761d5b6d8e72950