Snort mailing list archives
sid:36535 rev2
From: Zied Naas <Zied.Naas () abovesecurity com>
Date: Mon, 2 Nov 2015 14:25:49 +0000
Hi all, Again, the rule SID:36535 is still noisy even for the revision 2, and again as I did in a previous request, Could someone tell me why this rule is firing for the payload below: ------------------------- b})),b+=1)))},o=function(){var a=b.createElement("div");return function(b){return b&&"string"==typeof b?(a.innerHTML=encodeURI(b),b=a.textContent||a.innerText,a.innerHTML="",decodeURI(b)):void 0}}()}),tbNewsroom.define("app",["dom","transport","crawler","utils","user","auto-pilot","document","designer","dom-ready","debug","click-audit","message-queue","ab-test","regions"],function(a,b,c){"use strict";function d(){return c.getPageTemplate()&&c.getPageDashboard()}function e(a){d()&&c.ready(function(){c.debug("crawlPage",a),c.crawlPage(a)})}function f(a){d()&&(c.setRegionMap(a),c.ready(function(){c.debug("defineRegionMap",a),c.markRegions()}))}function g(){d()&&c.transport.getAction()}function h(a){c.setDesignerToken(a),c.loadDesigner()}function i(a){d()&&c.reorderItems(a)}function j(){var a=c.getStoredValue(c.CLICK_COOKIE_NAME);a&&"-10"!=a&&(c.deleteStoredValue(c.CLICK_COOKIE_NAME),c.transport.sendMessage({methodName:"notify-click",queryString:a}))}function k(a){c.debug("showRegions",a),d()&&a&&c.createStyleSheet("[{REGION_DATA_MARKER}]{background: {REGION_BACKGROUND}!important;box-shadow: {REGION_BORDER} 0 0 0 6px!important;}[{REGION_ITEM_DATA_MARKER}]{background: {ITEM_BACKGROUND}!important;box-shadow: inset {ITEM_BORDER} 0 0 0 6px!important;}[{REGION_LINK_DATA_MARKER}]{background: {LINK_COLOR}!important;color:#333!important}[{REGION_LINK_DATA_MARKER}] * {ba the rule : alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page detected"; flow:to_client, established; file_data; content:"return"; content:"join"; within:8; content:"MSIE |28 5C|d+|5C|.|5C|d+|29|"; distance:0; content:"navigator"; within:60; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36535; rev:2;) the only content existing in this payload is "return". thanks, zied
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sid:36535 rev2 Zied Naas (Nov 02)