Snort mailing list archives
Re: Snort-users Digest, Vol 101, Issue 41
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Tue, 28 Oct 2014 14:32:09 -0400
Hi Ron, We have observed alerts on newegg's site for our shellshock rules. It seems that there is some sort of performance tracking that is injecting the pattern that rule looks for into the URI. At this point, if it is only a aleatory alert on newegg's site we will not be changing the rule, as it has yielded nothing but true positives thus far. Any pcap you have and want to forward along would also be helpful. Alex McDonnell TALOS (Formerly VRT)
Message: 3 Date: Mon, 27 Oct 2014 21:04:14 +0000 From: Ron Haines <rhaines () grantspassoregon gov> Subject: [Snort-users] Shellshock Signatures To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <5C428EDCD67FA1469CBAB808D0472B2074069B23@emperor> Content-Type: text/plain; charset="us-ascii" I have been seeing multiple alerts on 1:31977:3 when people visit the Newegg website. This is a community rule and I'm thinking this is a false positive. I have found several instances in the websites code where they use a lot of function calls that have () { in them. This is how the rule is built for 1:31977, 31978, 31975, and 31976. So far, only the 31977 has been triggered from Newegg. If it is a false positive, it's not a big deal. I just wanted to run this by the group to make sure I don't have to look at something else or contact Newegg about this. Thanks, Ron Haines Computer Services Technician Information Technology Email: rhaines () grantspassoregon gov<blocked::mailto: rhaines () grantspassoregon gov> Phone: 541.450.6185 [Signature - Guide] ----------------------------------------------------------- DISCLOSURE: Messages to and from this E-mail address may be subject to Oregon Public Records Law. ----------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 5908 bytes Desc: image002.jpg ------------------------------ ------------------------------------------------------------------------------ ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 101, Issue 41 ********************************************
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 101, Issue 41 Alex McDonnell (Oct 28)