Snort mailing list archives
Re: sid:36535
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 26 Oct 2015 18:34:04 +0000
I’m being told that the rule has been fixed and will be shipped (updated) tomorrow. -- Joel Esler Manager, Talos Group On Oct 26, 2015, at 2:02 PM, wkitty42 () windstream net<mailto:wkitty42 () windstream net> wrote: On 10/26/2015 12:22 PM, Zied Naas wrote: Hi all, I would like to know why alerts are triggering for the payload containing only the first content “return but not the others. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page detected"; flow:to_client, established; file_data; content:"return"; content:"join"; within:8; content:"MSIE"; distance:0; content:"navigator"; within:60; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36535; rev:1;) it is kind of funny that someone else just asked about the exact rule on the SNORT-SIGS list... can you provide a pcap of the transaction that fires this rule?? -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sid:36535 Zied Naas (Oct 26)
- Re: sid:36535 wkitty42 (Oct 26)
- Re: sid:36535 Joel Esler (jesler) (Oct 26)
- Re: sid:36535 Jefferson, Shawn (Oct 29)
- Re: sid:36535 James Lay (Oct 29)
- Re: sid:36535 Joel Esler (jesler) (Oct 26)
- Re: sid:36535 Avery Rozar (Nov 02)
- Re: sid:36535 Joel Esler (jesler) (Nov 02)
- Re: sid:36535 wkitty42 (Oct 26)