Snort mailing list archives
FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 14 Mar 2011 10:19:55 +1300
We just had this trigger when a user downloaded an update from Baidu.com The URLs were GET http://dzl.baidu.com/update/cab/realname.dat GET http://dzl.baidu.com/iexp/config/control.ini The rule is a combination of a User-Agent match and a "metadata:impact_flag" (does the latter mean there's some extra checks going on or is that simply a classification tag?) I found a hit from Emerging-sigs from last year about it as a FP too - I guess Sourceforge is a bit behind on this one? ;-) http://answerpot.com/showthread.php?1019370-need+info+for+Baidu+2003608 I can ship the PCAP if you want it (it's got the user's cookies - so I won't publish here) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Jason Haar (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Matt Olney (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get evilghost () packetmail net (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Matt Olney (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Jason Haar (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get evilghost () packetmail net (Mar 13)