Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Angler Kit download False Positive

From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Wed, 24 Aug 2016 10:28:10 +0530
Hi,

Signature SID "34720" or "Angler Expolit kit download" is generating false
positives on our network.
The payload of the offending packet is

GET 
http://3d978f8b966e64b0cfec-6729d756a2f36342416a9128f1759751.r41.cf3.rackcdn.com/Ares-Blue-Pool-1000004722876VAR6_03-554.jpg
HTTP/1.1
Host: 3d978f8b966e64b0cfec-6729d756a2f36342416a9128f1759751.r41.cf3.rackcdn.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.landmarkshops.in/Women/Tops/Tops-and-Tees/MAX-MAX-Printed-Sleeveless-Top/p/1000004722876VAR6

It seems to me the signature looks for overly long URI's, but with cloud
hosting being so common, I guess that is to be expected.

Regards,
Dheeraj

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: