Snort mailing list archives
Re: [Snort-Sigs] sid 17903 possible FP
From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 17 Aug 2011 13:25:20 -0400
That particular URL setup, along with others in the blacklist category, has been observed coming out of our malware sandbox in large quantities. Gambling sites are generally considered a gray area in terms of legitimacy anyway - while some may be legitimate, many others are not - and as such our review of the domain in question would have led us to believe that something nasty was happening with that site. If you've got users legitimately using that gaming site, I would suggest disabling the rule. For anyone whose policy disallows use of gambling sites, well, even if it's a hit because someone is directly using the site (as opposed to malware trying to defraud these guys), it's probably useful anyway. On Wed, Aug 17, 2011 at 1:11 PM, matan monitz <mmonitz () gmail com> wrote:
hello after seeing hits on this sig we started investigating a bit the request are for domains on *.eyeviewdigital.com which seems to be a legitimate ad compeny originating from www.play65.com which apears to be a legitmate gambling site digging deeper i was surprised to find out that play65 was actually part of the sig what made you classify this as *"BLACKLIST URI request for known malicious URI - stid="*? or are you just missing the "!" on the content keyword for play65? <http://www.snort.org/search/sid/17903> ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [Snort-Sigs] sid 17903 possible FP matan monitz (Aug 17)
- Re: [Snort-Sigs] sid 17903 possible FP Alex Kirk (Aug 17)