[Snort-sigs] FP 2002082

Thierry CHICH thierry.chich at ...2579...
Mon Mar 5 08:59:28 EST 2007


A lot of FP with rule 2002082: 


/etc/snort/rules/bleeding-policy.rules:alert tcp $HOME_NET any -> 
$EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Infotriever Spyware 
User Agent"; flow: to_server,established; content:"User-Agent\: Client"; 
nocase; classtype: trojan-activity; 
reference:url,www.infotriever.com/Intro_SysAdmins.asp; sid: 2002082; rev:6;)

For instance, I have FP from packet going to microsoft servers. I can't 
believe that there could be spyware in microsoft products. It must be a false 
positive. 


For instance: 


10.163.234.246:33794 -> 207.68.179.219:80 [AP] 
GET /_0sfdata/1?aa=5:18:58:03&ab=3806&ac=438&ad=134&ae=44&af=260&ag=211&ah=0&ai=51&aj=100&ak=1&al=36&nr=21&cg=%7
  bb3bb5bba-e7d5-40ab-a041-a5b1c0b26c8f%7d HTTP/1.0..User-Agent: Client..Host: 
g.microsoft.com..Via: 1.1 localhost
  .localdomain:8080 (squid/2.5.STABLE10)..X-Forwarded-For: 10.63.234.35, 
127.0.0.1..Cache-Control: max-age=259200.
  .Connection: keep-alive....

I also join a pcap version of some packets.

Thierry Chich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: out.log
Type: text/x-log
Size: 1657 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070305/4931e8c3/attachment.bin>


More information about the Snort-sigs mailing list