Snort mailing list archives
Re: sid:36535
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 2 Nov 2015 16:17:14 +0000
This rule is currently at rev:3. Please make sure your rules are fully updated. -- Joel Esler Manager, Talos Group On Oct 26, 2015, at 2:12 PM, Avery Rozar <avery.rozar () i-techsupport com<mailto:avery.rozar () i-techsupport com>> wrote: Here are some, I'm getting killed with these today. Looks like some js files on Akamai cdn. ________________________________________ From: wkitty42 () windstream net<mailto:wkitty42 () windstream net> [wkitty42 () windstream net<mailto:wkitty42 () windstream net>] Sent: Monday, October 26, 2015 2:02 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] sid:36535 On 10/26/2015 12:22 PM, Zied Naas wrote: Hi all, I would like to know why alerts are triggering for the payload containing only the first content “return but not the others. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page detected"; flow:to_client, established; file_data; content:"return"; content:"join"; within:8; content:"MSIE"; distance:0; content:"navigator"; within:60; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36535; rev:1;) it is kind of funny that someone else just asked about the exact rule on the SNORT-SIGS list... can you provide a pcap of the transaction that fires this rule?? -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! <tcpdump.Z0.log.1445832130.pcap>------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sid:36535 Zied Naas (Oct 26)
- Re: sid:36535 wkitty42 (Oct 26)
- Re: sid:36535 Joel Esler (jesler) (Oct 26)
- Re: sid:36535 Jefferson, Shawn (Oct 29)
- Re: sid:36535 James Lay (Oct 29)
- Re: sid:36535 Joel Esler (jesler) (Oct 26)
- Re: sid:36535 Avery Rozar (Nov 02)
- Re: sid:36535 Joel Esler (jesler) (Nov 02)
- Re: sid:36535 wkitty42 (Oct 26)