Snort mailing list archives
Re: WEB-CLIENT Excel malformed FBI record - False positive?
From: Joel Esler <joel.esler () mac com>
Date: Wed, 09 Jul 2008 10:14:58 -0400
Well, that's a separate issue. If you suspect a false positive, please get a full pcap of the transfer of the traffic, and file it via the false positive report format you can find on the snort.org website. J On Jul 9, 2008, at 5:52 AM, Jesper Skou Jensen wrote:
Jack Pepper wrote:Check the config file for accuracy, or check that the snort service is using the same config file that you think it's using.Joel Esler wrote:Do you have two HOME_NET lines in your snort.conf file? I'm not saying anything bad or anything, but it looks like to me that you have two HOME_NET definitions.D'oh... You guys were spot on. It turns out that Debian is just a bit too smart at times... They have their own config file with a few entries (inluding home_net) that it uses, instead of those in the snort.conf file. Thank you guys for spotting this. It's a bit weird though, that the rule fires at all, because from what I can gather from the server-logs, there are no Excel files on it, only Word Documents, and the Word Docuemnt that was downloaded when this alert fired, is not malicious according to www.virustotal.com so I doubt there is anything fishy in it. -- Jesper S. Jensen Basisnet og Sikkerhed Uni-C - Århus, Danmark +45 8937-6666 ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler http://blog.joelesler.net http://www.dearcupertino.com [m] ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: WEB-CLIENT Excel malformed FBI record - False positive?, (continued)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? List Subscriptions (Jul 07)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jesper Skou Jensen (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jack Pepper (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jesper Skou Jensen (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jesper Skou Jensen (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jack Pepper (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jesper Skou Jensen (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Joel Esler (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jack Pepper (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jesper Skou Jensen (Jul 09)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Joel Esler (Jul 09)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jack Pepper (Jul 08)