Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-Sigs] sid 17903 possible FP

From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 17 Aug 2011 13:25:20 -0400
That particular URL setup, along with others in the blacklist category, has
been observed coming out of our malware sandbox in large quantities.
Gambling sites are generally considered a gray area in terms of legitimacy
anyway - while some may be legitimate, many others are not - and as such our
review of the domain in question would have led us to believe that something
nasty was happening with that site.

If you've got users legitimately using that gaming site, I would suggest
disabling the rule. For anyone whose policy disallows use of gambling sites,
well, even if it's a hit because someone is directly using the site (as
opposed to malware trying to defraud these guys), it's probably useful
anyway.

On Wed, Aug 17, 2011 at 1:11 PM, matan monitz <mmonitz () gmail com> wrote:


hello
after seeing hits on this sig we started investigating a bit
the request are for domains on *.eyeviewdigital.com which seems to be a
legitimate ad compeny originating from
www.play65.com which apears to be a legitmate gambling site
digging deeper i was surprised to find out that play65 was actually part of
the sig
what made you classify this as *"BLACKLIST URI request for known malicious
URI - stid="*?
or are you just missing the "!" on the content keyword for play65?


<http://www.snort.org/search/sid/17903>


------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!





-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: