Snort mailing list archives
Re: FILE-IDENTIFY FON font file download request (1:20269)
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Mon, 11 May 2015 08:45:58 -0400
Hey Anthony, This rule is currently pending a policy review, it will likely be excluded from balanced-ips going forward. The thought behind this rule is that .fon files are basically dll files that have font files in the resource section. This, like .scr and .cpl files, can lead to people running programs because they don't think it's an executable. thanks Alex McDonnell TALOS On Mon, May 11, 2015 at 7:43 AM, Rodgers, Anthony (DTMB) < RodgersA1 () michigan gov> wrote:
Perhaps we should negate geo.kaspersky.com for this sig? It fires every morning for a host on our network that updates its AV sigs: GET /diffs/bases/wmuf/wmuf0005.dat.fon HTTP/1.0 Host: dnl-11.geo.kaspersky.com Pragma: no-cache Cache-Control: no-cache Connection: keep-alive User-Agent: liByyC5fj_zqmQyr3w_1hp05wkkxu56lll-9u4uBVANMTAuMS4yNDk= -- Anthony Rodgers Security Analyst Michigan Security Operations Center (MiSOC) DTMB, Michigan Cyber Security ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- FILE-IDENTIFY FON font file download request (1:20269) Rodgers, Anthony (DTMB) (May 11)
- Re: FILE-IDENTIFY FON font file download request (1:20269) Alex McDonnell (May 11)
- Re: FILE-IDENTIFY FON font file download request (1:20269) Rodgers, Anthony (DTMB) (May 11)
- Re: FILE-IDENTIFY FON font file download request (1:20269) Alex McDonnell (May 11)