Snort mailing list archives
Re: Snort Rule 40755 and Shockwave Flash detection
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Thu, 12 Jan 2017 01:17:34 +0000
Hello, If possible it would help if you shared the packet information. It will be hard to tell if this is a false positive or not without it. Thanks. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: "Jonathan A. Yee" <jyee () spawar navy mil<mailto:jyee () spawar navy mil>> Date: Wednesday, January 11, 2017 at 7:44 PM To: "snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>" <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>> Subject: [Snort-sigs] Snort Rule 40755 and Shockwave Flash detection Hi all, Apologies of this is posted to the incorrect mailing list. One of our SourceFire boxes has been getting many alerts in relation to SID 40755 "FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt" on seemingly innocuous Shockwave Flash sites. The entire rule is: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|1F 10 75 19 24 31 24|"; content:"|00|"; within:1; distance:25; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/1613acd34bfb85121bef0cd7a5cc572967912f9f674eefd7175f42ad2099e3d1/analysis/<http://www.virustotal.com/en/file/1613acd34bfb85121bef0cd7a5cc572967912f9f674eefd7175f42ad2099e3d1/analysis/>; classtype:attempted-user; sid:40755; rev:1; ) After examining the packet information, I can't seem to find a single occurrence of either the string or binary data within any of the frames. However, the rule does seem to be triggering at seemingly random intervals. I've tried going to the specific URIs and have not been able to forcibly trigger the rule. I've checked the hash of each SWF file it's triggering on and not a single one matches the reference found in VT. This leads me to believe that the rules is too broadly written and is causing false positives. I was wondering if anyone had seen something similar or might have some insight for why this rule might be triggering on different SWF files. Thanks in advance. -- Jonathan (Jay) Yee New Professional Network Monitoring Team at SSCPAC RDT&E Network Security, Code 82900 619-553-1064
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Snort Rule 40755 and Shockwave Flash detection Jonathan A. Yee (Jan 11)
- Re: Snort Rule 40755 and Shockwave Flash detection Al Lewis (allewi) (Jan 11)
- Re: Snort Rule 40755 and Shockwave Flash detection Joel Esler (jesler) (Jan 11)
- Re: Snort Rule 40755 and Shockwave Flash detection Al Lewis (allewi) (Jan 11)