Snort mailing list archives
(no subject)
From: "Bachelor, Stephen A CTR USSOCOM HQ" <Stephen.Bachelor.ctr () socom mil>
Date: Wed, 9 Jul 2008 10:35:33 -0400
FWIW: The malformed excel rule checks the flowbit xls.download, which is set by sid:7023, which checks for |D0 CF 11 E0 A1 B1 1A E1|, which is down in Gary Kessler's magic number list* as a generic Microsoft Office document. "Generic Microsoft Office document" is congruent with what I've seen. Kessler's list says Excel documents have |09 08 10 00 00 06 05 00| at a 512 byte offset, and hex editor reviews of Office XP-generated documents seem consistent with that. * http://www.garykessler.net/library/file_sigs.html -----Original Message----- From: snort-users-bounces () lists sourceforge net [mailto:snort-users-bounces () lists sourceforge net] On Behalf Of Joel Esler Sent: Wednesday, July 09, 2008 10:15 AM To: Jesper Skou Jensen Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] WEB-CLIENT Excel malformed FBI record - False positive? Well, that's a separate issue. If you suspect a false positive, please get a full pcap of the transfer of the traffic, and file it via the false positive report format you can find on the snort.org website. J On Jul 9, 2008, at 5:52 AM, Jesper Skou Jensen wrote:
Jack Pepper wrote:Check the config file for accuracy, or check that the snort service is using the same config file that you think it's using.Joel Esler wrote:Do you have two HOME_NET lines in your snort.conf file? I'm not saying anything bad or anything, but it looks like to me that you have two HOME_NET definitions.D'oh... You guys were spot on. It turns out that Debian is just a bit too smart at times... They have their own config file with a few entries (inluding home_net) that it uses, instead of those in the snort.conf file. Thank you guys for spotting this. It's a bit weird though, that the rule fires at all, because from what I can gather from the server-logs, there are no Excel files on it, only Word Documents, and the Word Docuemnt that was downloaded when this alert fired, is not malicious according to www.virustotal.com so I doubt there is anything fishy in it. -- Jesper S. Jensen Basisnet og Sikkerhed Uni-C - Århus, Danmark +45 8937-6666 ---------------------------------------------------------------------- --- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler http://blog.joelesler.net http://www.dearcupertino.com [m] ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) Bachelor, Stephen A CTR USSOCOM HQ (Jul 09)