This being triggered from that url request: === Triggered rule ===
alert(url_content:“%3C”; url_content:“%2F”; url_content:“%3E”; msg:“Suspicious looking GET request containing %3C, %3E, and %2F. Suspiciously HTML-like.”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
http://ajax.googleapis.com/ajax/services/search/web?v=1.0&key=ABQIAAAADQJp_C6OaW6hvHOMrOnyTRSJ36dQUZSEtUNltVpyNDSTnR8ihRSMP6upCTiKY-Eecqqq5JsdgenlYg&q=<Result>+<Code>04008000<%2FCode>+<DomC>26<%2FDomC>+<%2FResult>
resolving to these googlebot spoofed results: {“responseData”: {“results”:[{“GsearchResultClass”:“GwebSearch”,“unescapedUrl”:“http://b.averysmallbird.com/entries/bluecoat-and-syria-indicators-and-culpability",“url”:“http://b.averysmallbird.com/entries/bluecoat-and-syria-indicators-and-culpability”,“visibleUrl”:“b.averysmallbird.com”,“cacheUrl”:“http://www.google.com/search?q\u003dcache:s1RCElpWZF0J:b.averysmallbird.com”,“title”:"BlueCoat and Syria: Indicators and Culpability. a very small bird”,“titleNoFormatting”:“BlueCoat and Syria: Indicators and Culpability. a very small bird”,“content”:“Oct 11, 2011 \u003cb\u003e…\u003c/b\u003e \u0026lt;\u003cb\u003eCode\u003c/b\u003e\u0026gt;\u003cb\u003e04008000\u003c/b\u003e\u0026lt;/\u003cb\u003eCode\u003c/b\u003e\u0026gt;. \u0026lt;\u003cb\u003eDomC\u003c/b\u003e\u0026gt;\u003cb\u003e26\u003c/b\u003e\u0026lt;/\u003cb\u003eDomC\u003c/b\u003e\u0026gt;. \u0026lt;/\u003cb\u003eResult\u003c/b\u003e\u0026gt;. According to a posting made on BlueCoat\u0026#39;s forums, the above line seems to \u003cb\u003e…\u003c/b\u003e”},{“GsearchResultClass”:“GwebSearch”,“unescapedUrl”:“http://forum.avast.com/index.php?topic\u003d112159.0",“url”:“http://forum.avast.com/index.php%3Ftopic%3D112159.0”,“visibleUrl”:“forum.avast.com”,“cacheUrl”:“”,“title”:"MAL URL K9filter.exe”,“titleNoFormatting”:“MAL URL K9filter.exe”,“content”:“7 hours ago \u003cb\u003e…\u003c/b\u003e 2: \u0026lt; \u003cb\u003eCode\u003c/b\u003e\u0026gt; \u003cb\u003e04008000\u003c/b\u003e\u0026lt; /\u003cb\u003eCode\u003c/b\u003e\u0026gt; 3: \u0026lt; \u003cb\u003eDomC\u003c/b\u003e\u0026gt; \u003cb\u003e26\u003c/b\u003e\u0026lt; /\u003cb\u003eDomC\u003c/b\u003e\u0026gt; 4: \u0026lt; /\u003cb\u003eResult\u003c/b\u003e\u0026gt; Trying to get a GET address avast NetworkShield blocks an Object as \u003cb\u003e…\u003c/b\u003e”},{“GsearchResultClass”:“GwebSearch”,“unescapedUrl”:“http://www.jennic.com/download_file.php?supportFile\u003dJN-AN-1003-Boot-Loader-Operation-1v7.pdf",“url”:“http://www.jennic.com/download_file.php%3FsupportFile%3DJN-AN-1003-Boot-Loader-Operation-1v7.pdf”,“visibleUrl”:“www.jennic.com”,“cacheUrl”:“”,“title”:"JN-AN-1003 JN514x/JN5139 Boot Loader Operation - Jennic”,“titleNoFormatting”:“JN-AN-1003 JN514x/JN5139 Boot Loader Operation - Jennic”,“content”:“JN-AN-1003 (v1v7) \u003cb\u003e26\u003c/b\u003e-Apr-2012 \u003cb\u003e…\u003c/b\u003e ROM \u003cb\u003ecode\u003c/b\u003e usage area. (4 Kbytes). MAC address \u003cb\u003e…\u003c/b\u003e \u003cb\u003e0x04008000\u003c/b\u003e \u003cb\u003e…\u003c/b\u003e reasonably be expected to \u003cb\u003eresult\u003c/b\u003e in personal injury, death, severe property damage or environmental damage. \u003cb\u003e…\u003c/b\u003e www.nxp.\u003cb\u003ecom\u003c/b\u003e/ jennic.”,“fileFormat”:“PDF/Adobe Acrobat”},{“GsearchResultClass”:“GwebSearch”,“unescapedUrl”:“http://www.jennic.com/download_file.php?supportFile\u003dJN-DS-JN5142-J01-1v1.pdf",“url”:“http://www.jennic.com/download_file.php%3FsupportFile%3DJN-DS-JN5142-J01-1v1.pdf”,“visibleUrl”:“www.jennic.com”,“cacheUrl”:“”,“title”:"JN-DS-JN5142-J01-1v1.pdf3rd Oct - Jennic”,“titleNoFormatting”:“JN-DS-JN5142-J01-1v1.pdf3rd Oct - Jennic”,“content”:“\u003cb\u003ecode\u003c/b\u003e memory, data memory, peripheral devices and I/O ports are organised within the same \u003cb\u003e…\u003c/b\u003e herein and worst case may \u003cb\u003eresult\u003c/b\u003e in device not functioning in \u003cb\u003e…\u003c/b\u003e”,“fileFormat”:“PDF/Adobe Acrobat”}],“cursor”:{“resultCount”:“18”,“pages”:[{“start”:“0”,“label”:1},{“start”:“4”,“label”:2},{“start”:“8”,“label”:3},{“start”:“12”,“label”:4},{“start”:“16”,“label”:5}],“estimatedResultCount”:“18”,“currentPageIndex”:0,“moreResultsUrl”:“http://www.google.com/search?oe\u003dutf8\u0026ie\u003dutf8\u0026source\u003duds\u0026start\u003d0\u0026hl\u003den\u0026q\u003d<Result>+<Code>04008000</Code>+<DomC>26</DomC>+</Result>",“searchResultTime”:"0.32”}}, “responseDetails”: null, “responseStatus”: 200}
polonus