Snort mailing list archives
Re: [Emerging-Sigs] false positive from NASA Realtime Satellite Tracking
From: Will Metcalf <william.metcalf () gmail com>
Date: Mon, 22 Aug 2016 07:29:33 -0500
Probably the easiest thing is to set a flowbit matching on anything in . nasa.gov and then check and make sure that flowbit is not set. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Nasa SiteFlowbit Set"; flow:established,to_server; content:".nasa.gov"; http_header; nocase; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]*\.nasa\.gov(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.Nasa.Site; flowbits:noalert; classtype:misc-activity; sid:3000000; rev:2;) Then add the following to those rules. flowbits:isnotset,ET.Nasa.Site; guessing you are probably using snort instead of suri otherwise I would say you could use a pass rule as they act a bit differently in snort and suri i.e suri would pass the rest of the tcp flow..... at least the last time I checked :). Regards, Will On Sat, Aug 20, 2016 at 9:01 AM, <wkitty42 () windstream net> wrote:
i'm seeing the following rules being triggered from http://spaceflight1.nasa.gov/realdata/tracking/index.html but i'm not sure the best way to allow this site as the java stuff seems to be being pulled from multiple IPs on AWS... Rule ID: 1:2016540:2 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs Date: 08/20 09:37:57 Priority: 2 Class Type: Potentially Bad Traffic IP info: 54.243.106.158:80 -> 75.89.xxx.223:59296 References: none found Rule ID: 1:2014472:5 - ET INFO JAVA - Java Archive Download Date: 08/20 09:37:57 Priority: 1 Class Type: A Network Trojan was detected IP info: 54.243.106.158:80 -> 75.89.xxx.223:59296 References: none found Rule ID: 1:27816:9 - EXPLOIT-KIT Multiple exploit kit jar file download attempt Date: 08/20 09:37:57 Priority: 1 Class Type: A Network Trojan was detected IP info: 54.243.106.158:80 -> 75.89.xxx.223:59296 References: none found -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- false positive from NASA Realtime Satellite Tracking wkitty42 (Aug 20)
- Re: [Emerging-Sigs] false positive from NASA Realtime Satellite Tracking Will Metcalf (Aug 22)