Snort mailing list archives

False Positive for SID:29443 "Fiesta exploit kit outbound connection"

From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Tue, 30 Aug 2016 10:03:17 +0530

Hi,

We have been seeing a lot of false positives for 1-29443.
A sample GET request that triggered this signature is

GET /polling/ecdb419b5dd62e8155da061bff521059815dd644cdac0db0afce5d23d8e0031f
HTTP/1.1
Host: track.aftership.com
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML,
like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125
Safari/537.36
Referer: http://track.aftership.com/ecom-express/[REDACTED]
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: [REDACTED]
Via: 1.1 none (squid)
Cache-Control: max-age=259200
Connection: keep-alive

This looks like an AJAX request to a shipment tracking website. We have
looked at the session PCAPs and the user is indeed trying to track one of
his shipments.
This signature triggers for overly long URIs and it looks like the UUID in
the GET request trips it.

Regards,
Dheeraj

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

False Positive for SID:29443 "Fiesta exploit kit outbound connection" Dheeraj Gupta (Aug 29)