Snort mailing list archives
Re: FP on 18372
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Wed, 16 Feb 2011 09:56:15 -0500
Thanks Joel... I have this (rev:3) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent string contype"; flow:to_server,established; content:"User-Agent|3A| contype|0D 0A|"; nocase; http_header; metadata:impact_flag red, service http; reference:url,labs.snort.org/docs/18372.html; classtype:trojan-activity; sid:18372; rev:3;) -J
-----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Wednesday, February 16, 2011 9:52 AM To: Weir, Jason Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] FP on 18372 Are you sure you have the SID right? My 18372, rev:2, doesn't have that content match in it at all. Joel On Feb 16, 2011, at 9:43 AM, Weir, Jason wrote:Looks like a client downloading flash content... GET/portal/server.pt/gateway/PTARGS_0_2_23634_14364_435710_43/htt p%3B/pubcontent.state.pa.us/publishedcontent/publish/cop_general_governm ent_operations/sers/branding/flash/animation_homepage2.swf HTTP/1.1 Accept: */* User-Agent: contype Host: www.sers.state.pa.us Cookie: *****removed****** GET /swf/masthead_large.swf HTTP/1.1 Accept: */* User-Agent: contype Host: www.wxrv.com Cookie: *****removed****** GET /multimedia/archive/00379/sivananda_sports_379768a.swf HTTP/1.1 Accept: */* User-Agent: contype Host: www.thehindu.com Can we improve on this rule? -J-- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net
_____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- FP on 18372 Weir, Jason (Feb 16)
- Re: FP on 18372 Joel Esler (Feb 16)
- Re: FP on 18372 Alex Kirk (Feb 16)
- Re: FP on 18372 Joel Esler (Feb 16)
- Re: FP on 18372 waldo kitty (Feb 16)
- Re: FP on 18372 Alex Kirk (Feb 16)
- Re: FP on 18372 Weir, Jason (Feb 16)
- Re: FP on 18372 Joel Esler (Feb 16)