Re: BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts

[Charlie Dyer <charlierwdyer () gmail com>]

Following on from the previous message, the repeating http://<host> in the
URI is only present in the http.request.full_uri, it does not repeat when
using http.request.uri.
It also repeats in the Sourcefire GUI under Full Request URI.

Was this a hastily released rule as I cannot see the SID in any recent
release.

On Fri, Mar 17, 2017 at 7:47 AM, Charlie Dyer <charlierwdyer () gmail com>
wrote:

> Hello
>
> Below are a list of hosts that are the destination of HTTP GETs that are
> triggering the above rule, obviously not much detail on why, can't really
> post all the URI data but here are a few:
>
> http://media.rightmove.co.ukhttp://media.rightmove.co.
> uk/dir/1k/505/58618708/505_BAI170129_IMG_06_0000_max_656x437.JPG
>
> http://ib.adnxs.comhttp://ib.adnxs.com/setuid?entity=43&;
> code=4044211960863159294
>
> http://sync.adaptv.advertising.comhttp://sync.adaptv.advertising.com/turn_
> user_sync?
>
> Weird how the URI has two 'http://&apos; prefixes, in fact all the URIs have
> this.
>
> Any ideas?
>
> Below are the hosts.
>
> a.tribalfusion.com
> aax-eu.amazon-adsystem.com
> ads.stickyadstv.com
> ads.yahoo.com
> b.scorecardresearch.com
> bat.bing.com
> bat.r.msn.com
> bcp.crwdcntrl.net
> beacon-eu-ams3.rubiconproject.com
> bh.contextweb.com
> cdn.adacado.com
> choices-or.truste.com
> ckm-m.xp1.ru4.com
> dsum.casalemedia.com
> dt.adsafeprotected.com
> evtvpaid.bfmio.com
> ib.adnxs.com
> image2.pubmatic.com
> impression.mediaiqdigital.com
> match.adsrvr.org
> media.rightmove.co.uk
> ox-d.justpremium.com
> p.rfihub.com
> pix04.revsci.net
> pixel.adsafeprotected.com
> pixel.mathtag.com
> pixel.quantserve.com
> pixel.rubiconproject.com
> pixel-eu.rubiconproject.com
> sp.adbrn.com
> srv-2017-03-17-07.pixel.parsely.com
> ssum.casalemedia.com
> su.addthis.com
> sync.adaptv.advertising.com
> sync.mathtag.com
> sync.search.spotxchange.com
> tamil.oneindia.com
> tapestry.tapad.com
> tca-115.tca-rtb1.rfihub.net
> tps20204.doubleverify.com
> tps611.doubleverify.com
> trc.taboola.com
> w88.espn.com
> www.google-analytics.com
> www.rightmove.co.uk
> www.wtp101.co
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!