Snort mailing list archives
Re: BLACKLIST URI Request Rules
From: Adam Gardner <adamgardner502 () gmail com>
Date: Wed, 3 Aug 2011 12:57:37 -0400
I've been seeing the same thing, particularly with 19624, 19629 and 19630 which have been firing on parked domains. I have not yet seen any malware being served up from the sites, nor have any other Snort rules fired on traffic involving these hosts. My other IPS vendor, AV and web content filter have all been quiet as well. Simply visiting the parked domains has been enough to make these rules fire, it doesn't sound like preexisting malware installed on the box is checking in. I haven't seen much I can take action on from those rules. On Aug 3, 2011 12:33 PM, "Chris Granger" <chrisgrangerx () gmail com> wrote:
Hi VRT, We're noticing that many of these rules released yesterday seem to be
generating a high number of false positives and/or the URIs may be pre-compromise indicators. I read your blog posting re how these rules are developed http://vrt-blog.snort.org/2011/02/blacklistrules-clamav-and-data-mining.html
I am curious about what efforts are made to separate potential benign or
pre-compromise indicators from the evil and/or post-compromise. Also, is there any interest in receiving reports on potential false positive caused by particular hosts/domains to add these to the rules as negated content matches?
Thanks, Chris Sent from my iPhone
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- BLACKLIST URI Request Rules Chris Granger (Aug 03)
- Re: BLACKLIST URI Request Rules Adam Gardner (Aug 03)
- Re: BLACKLIST URI Request Rules Joel Esler (Aug 03)
- Re: BLACKLIST URI Request Rules Chris Granger (Aug 03)