Re: False Positives, not that big of a deal, itsoknoproblembro

[Joel Esler <jesler () sourcefire com>]

We've committed a fix for this recently, and it should be out in the next rule pack.


On Dec 7, 2012, at 2:44 PM, Community Proposed <lists () packetmail net> wrote:

> FYI -- Check the HTTP URI match on sid:24389; rev:2; got some false positives.
>
> 00 26 b9 34 3b 01 00 11 bc 53 18 00 81 00 00 65
> 08 00 45 00 01 f5 ea d4 40 00 79 06 07 c1 0a 30
> d7 8d ac 18 7f 97 08 74 1f 90 d1 33 fd e4 90 ab
> 1d c0 50 18 fc 00 ff d8 00 00 47 45 54 20 68 74
> 74 70 3a 2f 2f 76 6f 74 65 2e 74 75 62 65 73 6e
> 61 63 6b 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68
> 70 3f 61 63 74 69 6f 6e 3d 73 74 61 74 75 73 26
> 63 6f 6c 6c 65 63 74 69 6f 6e 3d 74 7a 75 69 65
> 70 68 76 26 73 69 67 6e 61 74 75 72 65 3d 32 39
> 39 63 62 38 34 63 65 37 63 39 33 35 66 66 33 34
> 36 38 35 36 64 62 30 31 35 39 33 65 33 66 64 31
> 36 38 34 63 63 66 20 48 54 54 50 2f 31 2e 30 0d
> 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 41 63
> 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65
> 6e 2d 55 53 0d 0a 52 65 66 65 72 65 72 3a 20 68
> 74 74 70 3a 2f 2f 66 69 6c 65 73 2e 74 75 62 65
> 73 6e 61 63 6b 2e 6e 65 74 2f 74 65 6d 70 6c 61
> 74 65 73 2f 73 77 66 2f 39 36 35 31 32 37 37 62
> 39 39 62 65 38 62 66 32 32 65 61 66 37 36 35 33
> 36 39 62 37 39 74 36 33 0d 0a 78 2d 66 6c 61 73
> 68 2d 76 65 72 73 69 6f 6e 3a 20 31 31 2c 33 2c
> 33 30 30 2c 32 36 35 0d 0a 55 73 65 72 2d 41 67
> 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30
> 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53
> 49 45 20 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20
> 4e 54 20 35 2e 31 3b 20 54 72 69 64 65 6e 74 2f
> 34 2e 30 3b 20 2e 4e 45 54 20 43 4c 52 20 31 2e
> 31 2e 34 33 32 32 3b 20 2e 4e 45 54 20 43 4c 52
> 20 32 2e 30 2e 35 30 37 32 37 29 0d 0a 48 6f 73
> 74 3a 20 76 6f 74 65 2e 74 75 62 65 73 6e 61 63
> 6b 2e 63 6f 6d 0d 0a 50 72 6f 78 79 2d 43 6f 6e
> 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c
> 69 76 65 0d 0a 0d 0a
>
> &.4;....S.....e
> .E.....@.y....0
> ......t...3....
> .P.......GET ht
> tp://vote.tubesn
> ack.com/index.ph
> p?action=status&
> collection=tzuie
> phv&signature=29
> 9cb84ce7c935ff34
> 6856db01593e3fd1
> 684ccf HTTP/1.0.
> Accept: */*..Ac
> cept-Language: e
> n-US..Referer: h
> ttp://files.tube
> snack.net/templa
> tes/swf/9651277b
> 99be8bf22eaf7653
> 69b79t63..x-flas
> h-version: 11,3,
> 300,265..User-Ag
> ent: Mozilla/4.0
> (compatible; MS
> IE 8.0; Windows 
> NT 5.1; Trident/
> 4.0; .NET CLR 1.
> 1.4322; .NET CLR
> 2.0.50727)..Hos
> t: vote.tubesnac
> k.com..Proxy-Con
> nection: Keep-Al
> ive....
>
> Cheers,
> Nathan
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!