(no subject)

["Bachelor, Stephen A CTR USSOCOM HQ" <Stephen.Bachelor.ctr () socom mil>]

FWIW: The malformed excel rule checks the flowbit xls.download, which is set by sid:7023, which checks for |D0 CF 11 E0 
A1 B1 1A E1|, which is down in Gary Kessler's magic number list* as a generic Microsoft Office document.  "Generic 
Microsoft Office document" is congruent with what I've seen.  

Kessler's list says Excel documents have |09 08 10 00 00 06 05 00| at a 512 byte offset, and hex editor reviews of 
Office XP-generated documents seem consistent with that.

* http://www.garykessler.net/library/file_sigs.html
-----Original Message-----
From: snort-users-bounces () lists sourceforge net [mailto:snort-users-bounces () lists sourceforge net] On Behalf Of 
Joel Esler
Sent: Wednesday, July 09, 2008 10:15 AM
To: Jesper Skou Jensen
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] WEB-CLIENT Excel malformed FBI record - False positive?

Well, that's a separate issue.  If you suspect a false positive, please get a full pcap of the transfer of the traffic, 
and file it via the false positive report format you can find on the snort.org website.

J

On Jul 9, 2008, at 5:52 AM, Jesper Skou Jensen wrote:

> Jack Pepper wrote:
> > Check the config file for accuracy, or check that the snort service 
> > is using the same config file that you think it's using.
>
> Joel Esler wrote:
> > Do you have two HOME_NET lines in your snort.conf file?  I'm not 
> > saying anything bad or anything, but it looks like to me that you 
> > have two HOME_NET definitions.
>
>
> D'oh... You guys were spot on.
>
> It turns out that Debian is just a bit too smart at times... They have 
> their own config file with a few entries (inluding home_net) that it 
> uses, instead of those in the snort.conf file.
>
> Thank you guys for spotting this.
>
>
> It's a bit weird though, that the rule fires at all, because from what 
> I can gather from the server-logs, there are no Excel files on it, 
> only Word Documents, and the Word Docuemnt that was downloaded when 
> this alert fired, is not malicious according to www.virustotal.com so 
> I doubt there is anything fishy in it.
>
>
> --
>
>   Jesper S. Jensen
> Basisnet og Sikkerhed
> Uni-C - Århus, Danmark
>    +45 8937-6666
>
> ----------------------------------------------------------------------
> --- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project, 
> along with a healthy diet, reduces your potential for chronic lameness 
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler
  http://blog.joelesler.net
  http://www.dearcupertino.com
[m]




-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential 
for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users