Snort mailing list archives
Re: SID 39379 Norton Antivirus ASPack
From: Y M <snort () outlook com>
Date: Mon, 13 Feb 2017 20:24:09 +0000
You can check the code in the src/ directory of the rules tarball. so_rules/src/file-executable_norton-av-aspack-heap-corruption.c YM ________________________________ From: Charlie Dyer <charlierwdyer () gmail com> Sent: Monday, February 13, 2017 11:18:10 PM To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] SID 39379 Norton Antivirus ASPack Thanks, how do I see the compiled code which is the root cause of this false positive I'm seeing? I'm seeing an Acrobat Reader executable being pushed out causing alerts for this rule. On Mon, Feb 13, 2017 at 8:10 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote: A similar question came up the other day. This is a gid:3 rule, a Shared Object rule. The detection part is actually a compiled code and what you see is the rule stub. The flowbits is set by another rule to make sure that the detection alerts on executable files. https://www.snort.org/faq/shared-object-rules YM ________________________________ From: Charlie Dyer <charlierwdyer () gmail com<mailto:charlierwdyer () gmail com>> Sent: Monday, February 13, 2017 11:01:50 PM To: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net> Subject: [Snort-sigs] SID 39379 Norton Antivirus ASPack Hello list Could anyone shed light on the rule 39379? I can't see any content matching, it simply alerts on any file that is an executable being downloaded, is that right? If so, what has this got to do with Norton Antivirus? Many thanks in advance. Charlie ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- SID 39379 Norton Antivirus ASPack Charlie Dyer (Feb 13)
- Re: SID 39379 Norton Antivirus ASPack Y M (Feb 13)
- Re: SID 39379 Norton Antivirus ASPack Charlie Dyer (Feb 13)
- Re: SID 39379 Norton Antivirus ASPack Y M (Feb 13)
- Re: SID 39379 Norton Antivirus ASPack Alex McDonnell (Feb 13)
- Re: SID 39379 Norton Antivirus ASPack Charlie Dyer (Feb 13)
- Re: SID 39379 Norton Antivirus ASPack Alex McDonnell (Feb 13)
- Re: SID 39379 Norton Antivirus ASPack Y M (Feb 13)