Snort mailing list archives
Re: sig-id 1:26848:3
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 31 Oct 2014 14:08:02 -0400
On 10/30/2014 8:13 PM, Oscar A wrote:
Can someone helpme about this signature, what does it match and why?
in the rules i looked at (2.9.6.2 IIRC) this rule is disabled by default but you can read the rule to see what it is looking at... rules/browser-ie.rules: # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 7 emulation via meta tag"; flow:to_client,established; file_data; content:"<meta "; content:"content=|22|IE=EmulateIE7|22|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:26848; rev:3;) the first thing is that it is looking for the string "<meta " and then another string of "content=|22|IE=EmulateIE7|22|"... the "|22|" parts are the double quote character (")... the rule is looking for these in ftp, http, imap and pop3 traffic... the above rule may be triggered as part of MAGNITUDE EK infestation traffic as noted at this URL... http://malware-traffic-analysis.net/2014/09/10/index.html the above link was the 4th one in this google search... https://www.google.com/search?q=snort+rule+"sid%3A26848" -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- sig-id 1:26848:3 Oscar A (Oct 30)
- Re: sig-id 1:26848:3 waldo kitty (Oct 31)