Snort mailing list archives

Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get

From: Matt Olney <molney () sourcefire com>
Date: Sun, 13 Mar 2011 18:18:52 -0400

Toss a pcap to research () sourcefire com and we'll look at it.

Matt

On Sun, Mar 13, 2011 at 5:19 PM, Jason Haar <Jason.Haar () trimble co nz> wrote:

We just had this trigger when a user downloaded an update from Baidu.com

The URLs were

GET http://dzl.baidu.com/update/cab/realname.dat
GET http://dzl.baidu.com/iexp/config/control.ini

The rule is a combination of a User-Agent match and a
"metadata:impact_flag" (does the latter mean there's some extra checks
going on or is that simply a classification tag?)

I found a hit from Emerging-sigs from last year about it as a FP too - I
guess Sourceforge is a bit behind on this one? ;-)

http://answerpot.com/showthread.php?1019370-need+info+for+Baidu+2003608

I can ship the PCAP if you want it (it's got the user's cookies - so I
won't publish here)

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

Current thread:

FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Jason Haar (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Matt Olney (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get evilghost () packetmail net (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Matt Olney (Mar 13)
  - Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Jason Haar (Mar 13)
  - Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get evilghost () packetmail net (Mar 13)