id: weblogic-t3-detect

info:
  name: Weblogic T3 Protocol Detection
  author: F1tz,milo2012,wdahlenb
  severity: info
  description: |
    T3 is the protocol used to transport information between WebLogic servers and other types of Java programs.
  metadata:
    max-request: 2
  tags: network,weblogic,detect,t3,oracle
tcp:
  - inputs:
      - data: "t3 12.2.1

          AS:255

          HL:19

          MS:10000000

          PU:t3://us-l-breens:7001

          \n"
    host:
      - "{{Hostname}}"
    read-size: 1024
    matchers:
      - type: word
        words:
          - "HELO"

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - "HELO:(.*).false"

  - inputs:
      - data: "t3s 12.2.1

          AS:255

          HL:19

          MS:10000000

          PU:t3://us-l-breens:7001

          \n"
    host:
      - "tls://{{Hostname}}"
    read-size: 1024
    matchers:
      - type: word
        words:
          - "HELO"

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - "HELO:(.*).false"
# digest: 4b0a004830460221008e4fc5512e10a4bac580826b8cb65a981a9ef61b55f63c6f892cf0dde4b500a8022100e08f41e4f5d99713ff8e920b11a1fdfa70f7b1f5f5d0a2df25aa91bf69a010df:922c64590222798bb761d5b6d8e72950