Snort mailing list archives
Re: FP on 18372
From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 16 Feb 2011 09:55:43 -0500
He does - ironically enough, that SID was updated to rev:3 yesterday because the original User-Agent string used in the rule produced FPs with RealPlayer. Digging a bit deeper on "contype", it seems that it has mixed uses - sometimes bots use it (as would have been the case in the malware sandbox), sometimes legit apps use it. We'll dig a different User-Agent out of the DB, vet it more thoroughly, and hopefully the third time will be a charm. On Wed, Feb 16, 2011 at 9:52 AM, Joel Esler <jesler () sourcefire com> wrote:
Are you sure you have the SID right? My 18372, rev:2, doesn't have that content match in it at all. Joel On Feb 16, 2011, at 9:43 AM, Weir, Jason wrote:Looks like a client downloading flash content... GET /portal/server.pt/gateway/PTARGS_0_2_23634_14364_435710_43/http%3B/pubco ntent.state.pa.us/publishedcontent/publish/cop_general_government_operat ions/sers/branding/flash/animation_homepage2.swf HTTP/1.1 Accept: */* User-Agent: contype Host: www.sers.state.pa.us Cookie: *****removed****** GET /swf/masthead_large.swf HTTP/1.1 Accept: */* User-Agent: contype Host: www.wxrv.com Cookie: *****removed****** GET /multimedia/archive/00379/sivananda_sports_379768a.swf HTTP/1.1 Accept: */* User-Agent: contype Host: www.thehindu.com Can we improve on this rule? -J-- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- FP on 18372 Weir, Jason (Feb 16)
- Re: FP on 18372 Joel Esler (Feb 16)
- Re: FP on 18372 Alex Kirk (Feb 16)
- Re: FP on 18372 Joel Esler (Feb 16)
- Re: FP on 18372 waldo kitty (Feb 16)
- Re: FP on 18372 Alex Kirk (Feb 16)
- Re: FP on 18372 Weir, Jason (Feb 16)
- Re: FP on 18372 Joel Esler (Feb 16)