Snort mailing list archives

Previous By Date Next
Previous By Thread Next

sid:36535 rev2

From: Zied Naas <Zied.Naas () abovesecurity com>
Date: Mon, 2 Nov 2015 14:25:49 +0000
Hi all,

Again, the rule SID:36535 is still noisy even for the revision 2, and again as I did in a previous request,
Could someone tell me why this rule is firing for the payload below:
-------------------------

b})),b+=1)))},o=function(){var a=b.createElement("div");return function(b){return b&&"string"==typeof 
b?(a.innerHTML=encodeURI(b),b=a.textContent||a.innerText,a.innerHTML="",decodeURI(b)):void 
0}}()}),tbNewsroom.define("app",["dom","transport","crawler","utils","user","auto-pilot","document","designer","dom-ready","debug","click-audit","message-queue","ab-test","regions"],function(a,b,c){"use
 strict";function d(){return c.getPageTemplate()&&c.getPageDashboard()}function 
e(a){d()&&c.ready(function(){c.debug("crawlPage",a),c.crawlPage(a)})}function 
f(a){d()&&(c.setRegionMap(a),c.ready(function(){c.debug("defineRegionMap",a),c.markRegions()}))}function 
g(){d()&&c.transport.getAction()}function h(a){c.setDesignerToken(a),c.loadDesigner()}function 
i(a){d()&&c.reorderItems(a)}function j(){var 
a=c.getStoredValue(c.CLICK_COOKIE_NAME);a&&"-10"!=a&&(c.deleteStoredValue(c.CLICK_COOKIE_NAME),c.transport.sendMessage({methodName:"notify-click",queryString:a}))}function
 k(a){c.debug("showRegions",a),d()&&a&&c.createStyleSheet("[{REGION_DATA_MARKER}]{background: 
{REGION_BACKGROUND}!important;box-shadow: {REGION_BORDER} 0 0 0 6px!important;}[{REGION_ITEM_DATA_MARKER}]{background: 
{ITEM_BACKGROUND}!important;box-shadow: inset {ITEM_BORDER} 0 0 0 
6px!important;}[{REGION_LINK_DATA_MARKER}]{background: 
{LINK_COLOR}!important;color:#333!important}[{REGION_LINK_DATA_MARKER}] * {ba


the rule :
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page detected"; 
flow:to_client, established; file_data; content:"return"; content:"join"; within:8; content:"MSIE |28 
5C|d+|5C|.|5C|d+|29|"; distance:0; content:"navigator"; within:60; metadata:policy balanced-ips drop, policy 
security-ips drop, service http; classtype:attempted-user; sid:36535; rev:2;)


the only content existing in this payload is "return".

thanks,

zied

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: