Snort mailing list archives
False Positive for SID:29443 "Fiesta exploit kit outbound connection"
From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Tue, 30 Aug 2016 10:03:17 +0530
Hi, We have been seeing a lot of false positives for 1-29443. A sample GET request that triggered this signature is GET /polling/ecdb419b5dd62e8155da061bff521059815dd644cdac0db0afce5d23d8e0031f HTTP/1.1 Host: track.aftership.com Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36 Referer: http://track.aftership.com/ecom-express/[REDACTED] Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: [REDACTED] Via: 1.1 none (squid) Cache-Control: max-age=259200 Connection: keep-alive This looks like an AJAX request to a shipment tracking website. We have looked at the session PCAPs and the user is indeed trying to track one of his shipments. This signature triggers for overly long URIs and it looks like the UUID in the GET request trips it. Regards, Dheeraj
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- False Positive for SID:29443 "Fiesta exploit kit outbound connection" Dheeraj Gupta (Aug 29)