Snort mailing list archives
Re: Netflix
From: Paul Cable <pcable () ebmky com>
Date: Tue, 21 Aug 2012 19:31:42 +0000
Here is a pcap. About 100 of these were produced when starting the player. Let me know if you have a different preference for file hosting, or need more information. I'm still pretty new to this. http://www.filedropper.com/packetebc511e18e5100016c91b7aee05d4696 Thanks, PC From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, August 21, 2012 2:28 PM To: Paul Cable Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Netflix On Aug 21, 2012, at 10:49 AM, Paul Cable <pcable () ebmky com<mailto:pcable () ebmky com>> wrote: I am running Snort through the Alienvault Community edition. We have a guy that likes to watch Netflix and use his Slingbox here. I'm not a big fan, but it hasn't affected our internet connection speeds so I can't really complain if it doesn't hurt his production. The problem is Netflix produces a lot of: snort: "WEB-CLIENT Mozilla multiple content-type headers malicious redirect attempt" First comes one: snort: "ET POLICY Netflix Streaming Player Access" Followed by a very large amount of the malicious redirect attempt messages. I started up a video and let it play for about 3 minutes and it generated 50-100 of these events. IE and Firefox. I can suppress them on my end, but it would be nice to have them as part of the definitions say they are Netflix related, since I don't think they should be considered malicious. Then when I do get a malicious redirect attempt I won't think it's just Netflix. I can provide more information or a pcap file if anyone needs more info. We'd be glad to accept a pcap so we can try and take a look at this and see if it's a false positive, or we can tune the rule somehow. Thanks. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Netflix Paul Cable (Aug 21)
- Re: Netflix Joel Esler (Aug 21)
- Re: Netflix Paul Cable (Aug 21)
- Re: Netflix Joel Esler (Aug 21)
- Re: Netflix Paul Cable (Aug 21)
- Re: Netflix Joel Esler (Aug 21)