Re: SID 18773

[Alex Kirk <akirk () sourcefire com>]

It's for a piece of malware that sends requests with that specific
structure. If you can send copies of some of the alerts, preferably in PCAP
form, we could take a look and see if the rule is working properly or if it
needs to be updated.

On Thu, Jan 12, 2012 at 9:34 AM, <vincent () ragosta net> wrote:

> What ex​actly is Snort SID 18773 attempting to alert on?  The rule name is
> 'BLACKLIST URI for known malicious URI - /stat.htm" and contains some very
> specific content clauses.  When I follow the URL specified by one of these
> alerts, it points to a 1x1 pixel GIF image.  Is this part of a known
> exploit?
>
> Thanks,
>
> Vincent
>
>
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Mar 27 - Feb 2
> Save $400 by Jan. 27
> Register now!
> http://p.sf.net/sfu/rsa-sfdev2dev2
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!