Snort mailing list archives
Re: BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 17 Mar 2017 11:18:06 +0000
Charlie, Can you submit that to us with a pcap so we can take a look? http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html<http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html?m=1> -- Sent from my iPhone On Mar 17, 2017, at 03:09, Charlie Dyer <charlierwdyer () gmail com<mailto:charlierwdyer () gmail com>> wrote: Following on from the previous message, the repeating http://<host> in the URI is only present in the http.request.full_uri, it does not repeat when using http.request.uri. It also repeats in the Sourcefire GUI under Full Request URI. Was this a hastily released rule as I cannot see the SID in any recent release. On Fri, Mar 17, 2017 at 7:47 AM, Charlie Dyer <charlierwdyer () gmail com<mailto:charlierwdyer () gmail com>> wrote: Hello Below are a list of hosts that are the destination of HTTP GETs that are triggering the above rule, obviously not much detail on why, can't really post all the URI data but here are a few: http://media.rightmove.co.ukhttp://media.rightmove.co.uk/dir/1k/505/58618708/505_BAI170129_IMG_06_0000_max_656x437.JPG<http://media.rightmove.co.uk/dir/1k/505/58618708/505_BAI170129_IMG_06_0000_max_656x437.JPG> http://ib.adnxs.comhttp://ib.adnxs.com/setuid?entity=43&code=4044211960863159294<http://ib.adnxs.com/setuid?entity=43&code=4044211960863159294> http://sync.adaptv.advertising.comhttp://sync.adaptv.advertising.com/turn_user_sync<http://sync.adaptv.advertising.com/turn_user_sync>? Weird how the URI has two 'http://' prefixes, in fact all the URIs have this. Any ideas? Below are the hosts. a.tribalfusion.com<http://a.tribalfusion.com> aax-eu.amazon-adsystem.com<http://aax-eu.amazon-adsystem.com> ads.stickyadstv.com<http://ads.stickyadstv.com> ads.yahoo.com<http://ads.yahoo.com> b.scorecardresearch.com<http://b.scorecardresearch.com> bat.bing.com<http://bat.bing.com> bat.r.msn.com<http://bat.r.msn.com> bcp.crwdcntrl.net<http://bcp.crwdcntrl.net> beacon-eu-ams3.rubiconproject.com<http://beacon-eu-ams3.rubiconproject.com> bh.contextweb.com<http://bh.contextweb.com> cdn.adacado.com<http://cdn.adacado.com> choices-or.truste.com<http://choices-or.truste.com> ckm-m.xp1.ru4.com<http://ckm-m.xp1.ru4.com> dsum.casalemedia.com<http://dsum.casalemedia.com> dt.adsafeprotected.com<http://dt.adsafeprotected.com> evtvpaid.bfmio.com<http://evtvpaid.bfmio.com> ib.adnxs.com<http://ib.adnxs.com> image2.pubmatic.com<http://image2.pubmatic.com> impression.mediaiqdigital.com<http://impression.mediaiqdigital.com> match.adsrvr.org<http://match.adsrvr.org> media.rightmove.co.uk<http://media.rightmove.co.uk> ox-d.justpremium.com<http://ox-d.justpremium.com> p.rfihub.com<http://p.rfihub.com> pix04.revsci.net<http://pix04.revsci.net> pixel.adsafeprotected.com<http://pixel.adsafeprotected.com> pixel.mathtag.com<http://pixel.mathtag.com> pixel.quantserve.com<http://pixel.quantserve.com> pixel.rubiconproject.com<http://pixel.rubiconproject.com> pixel-eu.rubiconproject.com<http://pixel-eu.rubiconproject.com> sp.adbrn.com<http://sp.adbrn.com> srv-2017-03-17-07.pixel.parsely.com<http://srv-2017-03-17-07.pixel.parsely.com> ssum.casalemedia.com<http://ssum.casalemedia.com> su.addthis.com<http://su.addthis.com> sync.adaptv.advertising.com<http://sync.adaptv.advertising.com> sync.mathtag.com<http://sync.mathtag.com> sync.search.spotxchange.com<http://sync.search.spotxchange.com> tamil.oneindia.com<http://tamil.oneindia.com> tapestry.tapad.com<http://tapestry.tapad.com> tca-115.tca-rtb1.rfihub.net<http://tca-115.tca-rtb1.rfihub.net> tps20204.doubleverify.com<http://tps20204.doubleverify.com> tps611.doubleverify.com<http://tps611.doubleverify.com> trc.taboola.com<http://trc.taboola.com> w88.espn.com<http://w88.espn.com> www.google-analytics.com<http://www.google-analytics.com> www.rightmove.co.uk<http://www.rightmove.co.uk> www.wtp101.co<http://www.wtp101.co> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org<http://Snort.org> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts Charlie Dyer (Mar 17)
- Re: BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts Charlie Dyer (Mar 17)
- Re: BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts Joel Esler (jesler) (Mar 17)
- Re: BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts Charlie Dyer (Mar 17)