Snort mailing list archives
Re: sid:36535
From: Avery Rozar <Avery.Rozar () i-techsupport com>
Date: Mon, 26 Oct 2015 18:12:59 +0000
Here are some, I'm getting killed with these today. Looks like some js files on Akamai cdn. ________________________________________ From: wkitty42 () windstream net [wkitty42 () windstream net] Sent: Monday, October 26, 2015 2:02 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] sid:36535 On 10/26/2015 12:22 PM, Zied Naas wrote:
Hi all, I would like to know why alerts are triggering for the payload containing only the first content “return but not the others. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page detected"; flow:to_client, established; file_data; content:"return"; content:"join"; within:8; content:"MSIE"; distance:0; content:"navigator"; within:60; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36535; rev:1;)
it is kind of funny that someone else just asked about the exact rule on the SNORT-SIGS list... can you provide a pcap of the transaction that fires this rule?? -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
tcpdump.Z0.log.1445832130.pcap
Description: tcpdump.Z0.log.1445832130.pcap
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sid:36535 Zied Naas (Oct 26)
- Re: sid:36535 wkitty42 (Oct 26)
- Re: sid:36535 Joel Esler (jesler) (Oct 26)
- Re: sid:36535 Jefferson, Shawn (Oct 29)
- Re: sid:36535 James Lay (Oct 29)
- Re: sid:36535 Joel Esler (jesler) (Oct 26)
- Re: sid:36535 Avery Rozar (Nov 02)
- Re: sid:36535 Joel Esler (jesler) (Nov 02)
- Re: sid:36535 wkitty42 (Oct 26)