Snort mailing list archives
Re: False Positives, not that big of a deal, itsoknoproblembro
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 7 Dec 2012 15:24:43 -0500
We've committed a fix for this recently, and it should be out in the next rule pack. On Dec 7, 2012, at 2:44 PM, Community Proposed <lists () packetmail net> wrote:
FYI -- Check the HTTP URI match on sid:24389; rev:2; got some false positives. 00 26 b9 34 3b 01 00 11 bc 53 18 00 81 00 00 65 08 00 45 00 01 f5 ea d4 40 00 79 06 07 c1 0a 30 d7 8d ac 18 7f 97 08 74 1f 90 d1 33 fd e4 90 ab 1d c0 50 18 fc 00 ff d8 00 00 47 45 54 20 68 74 74 70 3a 2f 2f 76 6f 74 65 2e 74 75 62 65 73 6e 61 63 6b 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 3f 61 63 74 69 6f 6e 3d 73 74 61 74 75 73 26 63 6f 6c 6c 65 63 74 69 6f 6e 3d 74 7a 75 69 65 70 68 76 26 73 69 67 6e 61 74 75 72 65 3d 32 39 39 63 62 38 34 63 65 37 63 39 33 35 66 66 33 34 36 38 35 36 64 62 30 31 35 39 33 65 33 66 64 31 36 38 34 63 63 66 20 48 54 54 50 2f 31 2e 30 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 55 53 0d 0a 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 66 69 6c 65 73 2e 74 75 62 65 73 6e 61 63 6b 2e 6e 65 74 2f 74 65 6d 70 6c 61 74 65 73 2f 73 77 66 2f 39 36 35 31 32 37 37 62 39 39 62 65 38 62 66 32 32 65 61 66 37 36 35 33 36 39 62 37 39 74 36 33 0d 0a 78 2d 66 6c 61 73 68 2d 76 65 72 73 69 6f 6e 3a 20 31 31 2c 33 2c 33 30 30 2c 32 36 35 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 54 72 69 64 65 6e 74 2f 34 2e 30 3b 20 2e 4e 45 54 20 43 4c 52 20 31 2e 31 2e 34 33 32 32 3b 20 2e 4e 45 54 20 43 4c 52 20 32 2e 30 2e 35 30 37 32 37 29 0d 0a 48 6f 73 74 3a 20 76 6f 74 65 2e 74 75 62 65 73 6e 61 63 6b 2e 63 6f 6d 0d 0a 50 72 6f 78 79 2d 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 0d 0a &.4;....S.....e .E.....@.y....0 ......t...3.... .P.......GET ht tp://vote.tubesn ack.com/index.ph p?action=status& collection=tzuie phv&signature=29 9cb84ce7c935ff34 6856db01593e3fd1 684ccf HTTP/1.0. Accept: */*..Ac cept-Language: e n-US..Referer: h ttp://files.tube snack.net/templa tes/swf/9651277b 99be8bf22eaf7653 69b79t63..x-flas h-version: 11,3, 300,265..User-Ag ent: Mozilla/4.0 (compatible; MS IE 8.0; Windows NT 5.1; Trident/ 4.0; .NET CLR 1. 1.4322; .NET CLR 2.0.50727)..Hos t: vote.tubesnac k.com..Proxy-Con nection: Keep-Al ive.... Cheers, Nathan ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- False Positives, not that big of a deal, itsoknoproblembro Community Proposed (Dec 07)
- Re: False Positives, not that big of a deal, itsoknoproblembro Joel Esler (Dec 07)