Re: sig-id 1:26848:3

[waldo kitty <wkitty42 () windstream net>]

On 10/30/2014 8:13 PM, Oscar A wrote:
> Can someone helpme about this signature, what does it match and why?

in the rules i looked at (2.9.6.2 IIRC) this rule is disabled by default but you 
can read the rule to see what it is looking at...


rules/browser-ie.rules:
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE 
Microsoft Internet Explorer 7 emulation via meta tag"; 
flow:to_client,established; file_data; content:"<meta "; 
content:"content=|22|IE=EmulateIE7|22|"; within:200; metadata:service ftp-data, 
service http, service imap, service pop3; classtype:attempted-user; sid:26848; 
rev:3;)


the first thing is that it is looking for the string "<meta " and then another 
string of "content=|22|IE=EmulateIE7|22|"... the "|22|" parts are the double 
quote character (")... the rule is looking for these in ftp, http, imap and pop3 
traffic...


the above rule may be triggered as part of MAGNITUDE EK infestation traffic as 
noted at this URL... http://malware-traffic-analysis.net/2014/09/10/index.html

the above link was the 4th one in this google search... 
https://www.google.com/search?q=snort+rule+"sid%3A26848";

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!