Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Netflix

From: Paul Cable <pcable () ebmky com>
Date: Tue, 21 Aug 2012 19:31:42 +0000
Here is a pcap. About 100 of these were produced when starting the player.

Let me know if you have a different preference for file hosting, or need more information. I'm still pretty new to this.

http://www.filedropper.com/packetebc511e18e5100016c91b7aee05d4696


Thanks,
PC




From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Tuesday, August 21, 2012 2:28 PM
To: Paul Cable
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Netflix


On Aug 21, 2012, at 10:49 AM, Paul Cable <pcable () ebmky com<mailto:pcable () ebmky com>> wrote:


I am running Snort through the Alienvault Community edition.

We have a guy that likes to watch Netflix and use his Slingbox here. I'm not a big fan, but it hasn't affected our 
internet connection speeds so I can't really complain if it doesn't hurt his production.

The problem is Netflix produces a lot of:

snort: "WEB-CLIENT Mozilla multiple content-type headers malicious redirect attempt"

First comes one:

snort: "ET POLICY Netflix Streaming Player Access"

Followed by a very large amount of the malicious redirect attempt messages. I started up a video and let it play for 
about 3 minutes and it generated 50-100 of these events. IE and Firefox.

I can suppress them on my end, but it would be nice to have them as part of the definitions say they are Netflix 
related, since I don't think they should be considered malicious.

Then when I do get a malicious redirect attempt I won't think it's just Netflix.

I can provide more information or a pcap file if anyone needs more info.


We'd be glad to accept a pcap so we can try and take a look at this and see if it's a false positive, or we can tune 
the rule somehow.

Thanks.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: