[Snort-sigs] False Positive

Adam Clinch adam.clinch at ...2420...
Mon Oct 2 22:32:18 EDT 2006


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
spyware-put.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware hxdl runtime detection - crypt user-agent"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"CryptRetrieveObjectByUrl|3A 3A|InetSchemeProvider"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]+CryptRetrieveObjectByUrl\x3A\x3AInetSchemeProvider/smi"; reference:url,www.spywareguide.com/product_show.php?id=516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075079; classtype:misc-activity; sid:7555; rev:1;)

--
Sid:
7555 
--
Summary:
 This event is generated when activity relating to a spyware application is detected. 
--
Impact:
 Unkown. Possible information disclosure, violation of privacy, possible violation of policy.
--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
Triggers on crl.microsoft.com


source addr 	  dest addr   	Ver 	Hdr Len 	TOS 	length 	ID 	flags 
offset 	TTL 	chksum
147.10.195.135 
<http://192.168.0.254/acid/acid_stat_ipaddr.php?ip=147.10.195.135&netmask=32> 
	131.107.115.28 
<http://192.168.0.254/acid/acid_stat_ipaddr.php?ip=131.107.115.28&netmask=32> 
	4 	5 	0 	461 	15547 	0 	0 	64 	44886

000 : 47 45 54 20 2F 70 6B 69 2F 63 72 6C 2F 70 72 6F   GET /pki/crl/pro
010 : 64 75 63 74 73 2F 43 6F 64 65 53 69 67 6E 50 43   ducts/CodeSignPC
020 : 41 2E 63 72 6C 20 48 54 54 50 2F 31 2E 30 0D 0A   A.crl HTTP/1.0..
030 : 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 55 73 65   Accept: */*..Use
040 : 72 2D 41 67 65 6E 74 3A 20 43 72 79 70 74 52 65   r-Agent: CryptRe
050 : 74 72 69 65 76 65 4F 62 6A 65 63 74 42 79 55 72   trieveObjectByUr
060 : 6C 3A 3A 49 6E 65 74 53 63 68 65 6D 65 50 72 6F   l::InetSchemePro
070 : 76 69 64 65 72 0D 0A 48 6F 73 74 3A 20 63 72 6C   vider..Host: crl
080 : 2E 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 0D 0A   .microsoft.com..
090 : 43 6F 6F 6B 69 65 3A 20 73 5F 6E 72 3D 31 31 35   Cookie: s_nr=115
0a0 : 38 39 38 38 31 37 36 35 35 30 3B 20 57 54 5F 46   8988176550; WT_F
0b0 : 50 43 3D 69 64 3D 31 34 37 2E 31 30 2E 31 39 35   PC=id=147.10.195
0c0 : 2E 31 33 35 2D 31 31 33 34 36 37 32 31 31 32 2E   .135-1134672112.
0d0 : 32 39 38 31 30 33 37 38 3A 6C 76 3D 31 31 35 38   29810378:lv=1158
0e0 : 39 32 33 33 35 37 38 32 30 3A 73 73 3D 31 31 35   923357820:ss=115
0f0 : 38 39 35 32 31 30 35 39 31 30 3B 20 4D 43 31 3D   8952105910; MC1=
100 : 47 55 49 44 3D 39 30 62 34 38 64 36 39 61 63 64   GUID=90b48d69acd
110 : 66 32 65 34 64 61 39 34 61 63 38 63 66 32 33 34   f2e4da94ac8cf234
120 : 61 62 33 61 39 26 48 41 53 48 3D 36 39 38 64 26   ab3a9&HASH=698d&
130 : 4C 56 3D 32 30 30 36 39 26 56 3D 33 3B 20 41 3D   LV=20069&V=3; A=
140 : 49 26 49 3D 41 78 55 46 41 41 41 41 41 41 43 57   I&I=AxUFAAAAAACW
150 : 42 77 41 41 7A 53 39 42 54 35 4A 4A 2B 39 6A 34   BwAAzS9BT5JJ+9j4
160 : 36 46 75 6C 6A 58 30 65 74 67 21 21 0D 0A 43 61   6FuljX0etg!!..Ca
170 : 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D   che-Control: no-
180 : 63 61 63 68 65 2C 20 6D 61 78 2D 61 67 65 3D 32   cache, max-age=2
190 : 35 39 32 30 30 0D 0A 0D 0A                        59200....


--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20061003/96777edd/attachment.html>


More information about the Snort-sigs mailing list