Snort mailing list archives
Re: FP 13628
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Tue, 9 Nov 2010 10:47:38 -0500
FYI, you can also submit false positive reports here: https://www.snort.org/uploads Note, you need to log in to snort.org to use it. You can also keep sending to the list as well of course, this is just a pointer to the form that was added to snort.org last week. On Tue, 12 Oct 2010 07:57:14 -0700, Lay, James wrote:
Rule:
web-client.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"WEB-CLIENT Microsoft Access file download request";
flow:to_server,established; content:"GET"; nocase; content:".mdb";
nocase; http_uri; metadata:service http;
reference:url,support.microsoft.com/kb/925330;
classtype:misc-activity; sid:13628; rev:3;)
Hit:
10/12-08:48:12.137728 [**] [1:13628:3] WEB-CLIENT Microsoft Access
file download request [**] [Classification: Misc activity] [Priority:
3] {TCP} external_ip:35650 -> 74.203.241.33:80
Partial packet dump
08:48:12.137728 IP 66.193.105.132.35650 > 74.203.241.33.80: Flags
[.], ack 2324326637, win 65535, length 536
0x0000: 4500 0240 7b1a 0000 7e06 d76b 42c1 6984 E..@{...~..kB.i.
0x0010: 4acb f121 8b42 0050 e92c d348 8a8a 68ed J..!.B.P.,.H..h.
0x0020: 5010 ffff 02d1 0000 4745 5420 2f75 732f P.......GET./us/
0x0030: 7231 3030 302f 3034 322f 4665 6174 7572 r1000/042/Featur
0x0040: 6573 2f63 342f 3064 2f33 662f 646a 2e6d es/c4/0d/3f/dj.m
0x0050: 6462 6d74 746b 742e 3735 7837 352d 3635 dbmttkt.75x75-65
0x0060: 2e6a 7067 2048 5454 502f 312e 310d 0a56 .jpg.HTTP/1.1..V
0x0110: 4230 355b 4345 5d0d 0a55 7365 722d 4167 B05[CE]..User-Ag
0x0120: 656e 743a 2069 5475 6e65 732f 3130 2e30 ent:.iTunes/10.0
0x0130: 2e31 2028 5769 6e64 6f77 733b 204d 6963 .1.(Windows;.Mic
0x0140: 726f 736f 6674 2057 696e 646f 7773 2058 rosoft.Windows.X
0x0150: 5020 5072 6f66 6573 7369 6f6e 616c 2053 P.Professional.S
0x0160: 6572 7669 6365 2050 6163 6b20 3320 2842 ervice.Pack.3.(B
0x0170: 7569 6c64 2032 3630 3029 2920 4170 706c uild.2600)).Appl
0x0180: 6557 6562 4b69 742f 3533 332e 3138 2e31 eWebKit/533.18.1
0x0190: 0d0a 486f 7374 3a20 6131 2e70 686f 626f ..Host:.a1.phobo
0x01a0: 732e 6170 706c 652e 636f 6d0d 0a52 6566 s.apple.com..Ref
0x01b0: 6572 6572 3a20 6874 7470 3a2f 2f61 782e erer:.http://ax.
0x01c0: 6974 756e 6573 2e61 7070 6c65 2e63 6f6d itunes.apple.com
0x01d0: 2f57 6562 4f62 6a65 6374 732f 4d5a 5374 /WebObjects/MZSt
0x01e0: 6f72 652e 776f 612f 7761 2f76 6965 7747 ore.woa/wa/viewG
0x01f0: 726f 7570 696e 673f 6964 3d33 370d 0a41 rouping?id=37..A
0x0200: 6363 6570 743a 202a 2f2a 0d0a 4163 6365 ccept:.*/*..Acce
0x0210: 7074 2d4c 616e 6775 6167 653a 2065 6e2d pt-Language:.en-
0x0220: 7573 2c20 656e 3b71 3d30 2e35 300d 0a58 us,.en;q=0.50..X
0x0230: 2d41 7070 6c65 2d43 7569 643a 2066 3335 -Apple-Cuid:.f35
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev_______________________________________________
Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-sourcefire.blogspot.com && http://labs.snort.org/ ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- FP 13628 Lay, James (Nov 08)
- Re: FP 13628 rmkml (Nov 08)
- Re: FP 13628 Nigel Houghton (Nov 09)