[Snort-sigs] Binet Malware Rules
Miner, Jonathan W (CSC) (US SSA)
jonathan.w.miner at ...2476...
Fri Aug 6 06:17:02 EDT 2004
Is anyone else using the "Binet" malware rules from BleedingSnort? If so, I'm trying to debug a possible false positive condition with sid:2000366
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware Binet";
uricontent:"/bi/servlet"; nocase; content:"abetterinternet.com"; nocase; classtype: policy-violation; reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; sid:2000366; rev:3;)
This rule correctly matches HTTP requests like this...
GET http://download.abetterinternet.com/bi/servlet/Banner?d=LOT64106 HTTP/1.0
The result is that I'm seeing machines that trigger sid:2000366 that end up being clean when we run SpyBot and AdAware.
More information about the Snort-sigs