Snort mailing list archives
Re: likely FPs Web-Client .... dll-load exploit attempt
From: Patrick Mullen <pmullen () sourcefire com>
Date: Mon, 18 Apr 2011 13:08:11 -0400
What revision of that rule are you running? Rev 4 is the latest and it won't FP on that traffic. All of the dll-load rules were regenerated on March 22 to fix this false positive issue. If you're on the 30-day delay rulepack, you should get the new version next week. Thanks, ~Patrick On Sun, Apr 17, 2011 at 7:05 PM, Russell Fulton <r.fulton () auckland ac nz> wrote:
SID CID Timestamp Signature IP Src IP Dst Proto Length 10 78025871 2011-04-18 09:53:08 WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt 130.216.25.112 ee5112cp.ece.auckland.ac.nz 119.31.248.196 None 6 185 10 78025872 2011-04-18 09:53:08 WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt 130.216.25.112 ee5112cp.ece.auckland.ac.nz 119.31.248.196 None 6 185 10 78025881 2011-04-18 09:53:18 WEB-CLIENT Firefox Acrobat Reader agm.dll dll-load exploit attempt 130.216.25.112 ee5112cp.ece.auckland.ac.nz 119.31.248.196 None 6 179 10 78025882 2011-04-18 09:53:18 WEB-CLIENT Acrobat Reader IE plugin agm.dll dll-load exploit attempt 130.216.25.112 ee5112cp.ece.auckland.ac.nz 119.31.248.196 None 6 179 10 78025908 2011-04-18 09:54:32 WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt 130.216.25.112 ee5112cp.ece.auckland.ac.nz 119.31.248.196 None 6 179 10 78025909 2011-04-18 09:54:32 WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt 130.216.25.112 ee5112cp.ece.auckland.ac.nz 119.31.248.196 None 6 179 10 78025915 2011-04-18 09:54:45 WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt 130.216.25.112 ee5112cp.ece.auckland.ac.nz 119.31.248.196 None 6 172 10 78025916 2011-04-18 09:54:45 WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt 130.216.25.112 ee5112cp.ece.auckland.ac.nz 119.31.248.196 None 6 172 10 78025917 2011-04-18 09:54:46 WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt 130.216.25.112 ee5112cp.ece.auckland.ac.nz 119.31.248.196 None 6 196 10 78025918 2011-04-18 09:54:46 WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt 130.216.25.112 ee5112cp.ece.auckland.ac.nz 119.31.248.196 None 6 196 sample capture: GET /files/pluginhost/2.0.0.11032_12/External/DeviceModules/DCInterface.dll.cab HTTP/1.1 User-Agent: SAMSUNG_KIES Host: msupdate.emodio.com googling msupdate.emodio.com suggests that this is a legit site related to Samsung Kies... ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- likely FPs Web-Client .... dll-load exploit attempt Russell Fulton (Apr 17)
- Re: likely FPs Web-Client .... dll-load exploit attempt Joel Esler (Apr 17)
- Re: likely FPs Web-Client .... dll-load exploit attempt Patrick Mullen (Apr 18)