Snort mailing list archives
Re: SID 18773
From: Alex Kirk <akirk () sourcefire com>
Date: Tue, 17 Jan 2012 13:01:44 -0500
It's for a piece of malware that sends requests with that specific structure. If you can send copies of some of the alerts, preferably in PCAP form, we could take a look and see if the rule is working properly or if it needs to be updated. On Thu, Jan 12, 2012 at 9:34 AM, <vincent () ragosta net> wrote:
What exactly is Snort SID 18773 attempting to alert on? The rule name is 'BLACKLIST URI for known malicious URI - /stat.htm" and contains some very specific content clauses. When I follow the URL specified by one of these alerts, it points to a 1x1 pixel GIF image. Is this part of a known exploit? Thanks, Vincent ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SID 18773 vincent (Jan 12)
- Re: SID 18773 JJ Cummings (Jan 12)
- Re: SID 18773 Alex Kirk (Jan 17)