Snort mailing list archives
Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 14 Mar 2011 12:13:14 +1300
On 03/14/2011 11:58 AM, Matt Olney wrote:
Actually, in this case this isn't a false positive. The alert is on a web get with a user agent "iexp-get" which is associated with baidu.com. Baidu is considered adware and malware from some sources (I'm not judging one way or another) and has a rule here for use if you see fit. So you have a policy decision. If you allow the baidu service, you can disable the rule. Otherwise, it worked :)
I've heard that before. If you're Chinese, you think baidu is great (it's China's Google-killer), but there are always these "rumors" around of it being "bad" Siteadvisor sums it up: http://www.siteadvisor.com/sites/baidu.com ("it's good - but there's a bunch of people who got hacked via it") I ain't going there: we'll disable the rule :-} -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Jason Haar (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Matt Olney (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get evilghost () packetmail net (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Matt Olney (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Jason Haar (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get evilghost () packetmail net (Mar 13)