Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] false positive from NASA Realtime Satellite Tracking

From: Will Metcalf <william.metcalf () gmail com>
Date: Mon, 22 Aug 2016 07:29:33 -0500
Probably the easiest thing is to set a flowbit matching on anything in .
nasa.gov and then check and make sure that flowbit is not set.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  (msg:"ET INFO Nasa
SiteFlowbit Set"; flow:established,to_server; content:".nasa.gov";
http_header; nocase; fast_pattern:only;
pcre:"/^Host\x3a[^\r\n]*\.nasa\.gov(?:\x3a\d{1,5})?\r?$/Hmi";
 flowbits:set,ET.Nasa.Site; flowbits:noalert; classtype:misc-activity;
sid:3000000; rev:2;)

Then add the following to those rules.

flowbits:isnotset,ET.Nasa.Site;

guessing you are probably using snort instead of suri otherwise I would say
you could use a pass rule as they act a bit differently in snort and suri
i.e suri would pass the rest of the tcp flow..... at least the last time I
checked :).

Regards,

Will

On Sat, Aug 20, 2016 at 9:01 AM, <wkitty42 () windstream net> wrote:



i'm seeing the following rules being triggered from

  http://spaceflight1.nasa.gov/realdata/tracking/index.html

but i'm not sure the best way to allow this site as the java stuff seems
to be being pulled from multiple IPs on AWS...


Rule ID:        1:2016540:2 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by
Java UA with non JAR EXT matches various EKs
Date:   08/20 09:37:57  Priority:       2       Class Type:
 Potentially Bad Traffic
IP info:        54.243.106.158:80 -> 75.89.xxx.223:59296
References:     none found

Rule ID:        1:2014472:5 - ET INFO JAVA - Java Archive Download
Date:   08/20 09:37:57  Priority:       1       Class Type:     A Network
Trojan was detected
IP info:        54.243.106.158:80 -> 75.89.xxx.223:59296
References:     none found

Rule ID:        1:27816:9 - EXPLOIT-KIT Multiple exploit kit jar file
download attempt
Date:   08/20 09:37:57  Priority:       1       Class Type:     A Network
Trojan was detected
IP info:        54.243.106.158:80 -> 75.89.xxx.223:59296
References:     none found


--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list* unless
       private contact is specifically requested and granted.
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreats.net



------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: