Snort mailing list archives
BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts
From: Charlie Dyer <charlierwdyer () gmail com>
Date: Fri, 17 Mar 2017 07:47:48 +0000
Hello Below are a list of hosts that are the destination of HTTP GETs that are triggering the above rule, obviously not much detail on why, can't really post all the URI data but here are a few: http://media.rightmove.co.ukhttp:// media.rightmove.co.uk/dir/1k/505/58618708/505_BAI170129_IMG_06_0000_max_656x437.JPG http://ib.adnxs.comhttp:// ib.adnxs.com/setuid?entity=43&code=4044211960863159294 http://sync.adaptv.advertising.comhttp:// sync.adaptv.advertising.com/turn_user_sync? Weird how the URI has two 'http://' prefixes, in fact all the URIs have this. Any ideas? Below are the hosts. a.tribalfusion.com aax-eu.amazon-adsystem.com ads.stickyadstv.com ads.yahoo.com b.scorecardresearch.com bat.bing.com bat.r.msn.com bcp.crwdcntrl.net beacon-eu-ams3.rubiconproject.com bh.contextweb.com cdn.adacado.com choices-or.truste.com ckm-m.xp1.ru4.com dsum.casalemedia.com dt.adsafeprotected.com evtvpaid.bfmio.com ib.adnxs.com image2.pubmatic.com impression.mediaiqdigital.com match.adsrvr.org media.rightmove.co.uk ox-d.justpremium.com p.rfihub.com pix04.revsci.net pixel.adsafeprotected.com pixel.mathtag.com pixel.quantserve.com pixel.rubiconproject.com pixel-eu.rubiconproject.com sp.adbrn.com srv-2017-03-17-07.pixel.parsely.com ssum.casalemedia.com su.addthis.com sync.adaptv.advertising.com sync.mathtag.com sync.search.spotxchange.com tamil.oneindia.com tapestry.tapad.com tca-115.tca-rtb1.rfihub.net tps20204.doubleverify.com tps611.doubleverify.com trc.taboola.com w88.espn.com www.google-analytics.com www.rightmove.co.uk www.wtp101.co
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts Charlie Dyer (Mar 17)
- Re: BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts Charlie Dyer (Mar 17)
- Re: BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts Joel Esler (jesler) (Mar 17)
- Re: BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts Charlie Dyer (Mar 17)