Re: sid:36535

[James Lay <jlay () slave-tothe-box net>]

Yep...sent in results yesterday to research...it's not AS noisy, but it 
is still falsing.

James

On 2015-10-29 11:38 AM, Jefferson, Shawn wrote:
> Even rev 2 of this rule is very noisy… have other people noticed
> that?
>
> FROM: Joel Esler (jesler) [mailto:jesler () cisco com]
> SENT: October 26, 2015 11:34 AM
> TO: wkitty42 () windstream net
> CC: snort-users () lists sourceforge net
> SUBJECT: Re: [Snort-users] sid:36535
>
> I’m being told that the rule has been fixed and will be shipped
> (updated) tomorrow.
>
> --
>
> JOEL ESLER
>
> Manager, Talos Group
>
> > On Oct 26, 2015, at 2:02 PM, wkitty42 () windstream net wrote:
> >
> > On 10/26/2015 12:22 PM, Zied Naas wrote:
> >
> > Hi all,
> >
> > I would like to know why alerts are triggering for the payload
> > containing only
> > the first content “return but not the others.
> >
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> > (msg:"EXPLOIT-KIT Neutrino
> > exploit kit landing page detected"; flow:to_client, established;
> > file_data;
> > content:"return"; content:"join"; within:8; content:"MSIE";
> > distance:0;
> > content:"navigator"; within:60; metadata:policy balanced-ips drop,
> > policy
> > security-ips drop, service http; classtype:attempted-user;
> > sid:36535; rev:1;)
> >
> > it is kind of funny that someone else just asked about the exact
> > rule on the
> > SNORT-SIGS list...
> >
> > can you provide a pcap of the transaction that fires this rule??



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!