Snort mailing list archives

FP 13628

From: "Lay, James" <james.lay () wincofoods com>
Date: Tue, 12 Oct 2010 07:57:14 -0700

Rule:

web-client.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"WEB-CLIENT Microsoft Access file download request";
flow:to_server,established; content:"GET"; nocase; content:".mdb";
nocase; http_uri; metadata:service http;
reference:url,support.microsoft.com/kb/925330; classtype:misc-activity;
sid:13628; rev:3;)

 

Hit:

 

10/12-08:48:12.137728  [**] [1:13628:3] WEB-CLIENT Microsoft Access file
download request [**] [Classification: Misc activity] [Priority: 3]
{TCP} external_ip:35650 -> 74.203.241.33:80

 

Partial packet dump

08:48:12.137728 IP 66.193.105.132.35650 > 74.203.241.33.80: Flags [.],
ack 2324326637, win 65535, length 536

        0x0000:  4500 0240 7b1a 0000 7e06 d76b 42c1 6984
E..@{...~..kB.i.

        0x0010:  4acb f121 8b42 0050 e92c d348 8a8a 68ed
J..!.B.P.,.H..h.

        0x0020:  5010 ffff 02d1 0000 4745 5420 2f75 732f
P.......GET./us/

        0x0030:  7231 3030 302f 3034 322f 4665 6174 7572
r1000/042/Featur

        0x0040:  6573 2f63 342f 3064 2f33 662f 646a 2e6d
es/c4/0d/3f/dj.m

        0x0050:  6462 6d74 746b 742e 3735 7837 352d 3635
dbmttkt.75x75-65

        0x0060:  2e6a 7067 2048 5454 502f 312e 310d 0a56
.jpg.HTTP/1.1..V

        0x0110:  4230 355b 4345 5d0d 0a55 7365 722d 4167
B05[CE]..User-Ag

        0x0120:  656e 743a 2069 5475 6e65 732f 3130 2e30
ent:.iTunes/10.0

        0x0130:  2e31 2028 5769 6e64 6f77 733b 204d 6963
.1.(Windows;.Mic

        0x0140:  726f 736f 6674 2057 696e 646f 7773 2058
rosoft.Windows.X

        0x0150:  5020 5072 6f66 6573 7369 6f6e 616c 2053
P.Professional.S

        0x0160:  6572 7669 6365 2050 6163 6b20 3320 2842
ervice.Pack.3.(B

        0x0170:  7569 6c64 2032 3630 3029 2920 4170 706c
uild.2600)).Appl

        0x0180:  6557 6562 4b69 742f 3533 332e 3138 2e31
eWebKit/533.18.1

        0x0190:  0d0a 486f 7374 3a20 6131 2e70 686f 626f
..Host:.a1.phobo

        0x01a0:  732e 6170 706c 652e 636f 6d0d 0a52 6566
s.apple.com..Ref

        0x01b0:  6572 6572 3a20 6874 7470 3a2f 2f61 782e
erer:.http://ax.

        0x01c0:  6974 756e 6573 2e61 7070 6c65 2e63 6f6d
itunes.apple.com

        0x01d0:  2f57 6562 4f62 6a65 6374 732f 4d5a 5374
/WebObjects/MZSt

        0x01e0:  6f72 652e 776f 612f 7761 2f76 6965 7747
ore.woa/wa/viewG

        0x01f0:  726f 7570 696e 673f 6964 3d33 370d 0a41
rouping?id=37..A

        0x0200:  6363 6570 743a 202a 2f2a 0d0a 4163 6365
ccept:.*/*..Acce

        0x0210:  7074 2d4c 616e 6775 6167 653a 2065 6e2d
pt-Language:.en-

        0x0220:  7573 2c20 656e 3b71 3d30 2e35 300d 0a58
us,.en;q=0.50..X

        0x0230:  2d41 7070 6c65 2d43 7569 643a 2066 3335
-Apple-Cuid:.f35

------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

FP 13628 Lay, James (Nov 08)
- Re: FP 13628 rmkml (Nov 08)
- Re: FP 13628 Nigel Houghton (Nov 09)