[Snort-sigs] likely FPs Web-Client .... dll-load exploit attempt

Patrick Mullen pmullen at ...435...
Mon Apr 18 13:08:11 EDT 2011


What revision of that rule are you running?  Rev 4 is the latest and
it won't FP on that traffic.  All of the dll-load rules were
regenerated on March 22 to fix this false positive issue.  If you're
on the 30-day delay rulepack, you should get the new version next
week.


Thanks,

~Patrick

On Sun, Apr 17, 2011 at 7:05 PM, Russell Fulton <r.fulton at ...575...> wrote:
> SID     CID     Timestamp       Signature       IP Src  IP Dst  Proto   Length
> 10      78025871        2011-04-18 09:53:08     WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt      130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       185
> 10      78025872        2011-04-18 09:53:08     WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       185
> 10      78025881        2011-04-18 09:53:18     WEB-CLIENT Firefox Acrobat Reader agm.dll dll-load exploit attempt      130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       179
> 10      78025882        2011-04-18 09:53:18     WEB-CLIENT Acrobat Reader IE plugin agm.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       179
> 10      78025908        2011-04-18 09:54:32     WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt      130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       179
> 10      78025909        2011-04-18 09:54:32     WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       179
> 10      78025915        2011-04-18 09:54:45     WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt      130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       172
> 10      78025916        2011-04-18 09:54:45     WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       172
> 10      78025917        2011-04-18 09:54:46     WEB-CLIENT Firefox Acrobat Reader ace.dll dll-load exploit attempt      130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       196
> 10      78025918        2011-04-18 09:54:46     WEB-CLIENT Acrobat Reader IE plugin ace.dll dll-load exploit attempt    130.216.25.112 ee5112cp.ece.auckland.ac.nz      119.31.248.196 None     6       196
>
> sample capture:
> GET /files/pluginhost/2.0.0.11032_12/External/DeviceModules/DCInterface.dll.cab HTTP/1.1
> User-Agent: SAMSUNG_KIES
> Host: msupdate.emodio.com
>
> googling msupdate.emodio.com  suggests that this is a legit site related to Samsung Kies...
>
>
>
>
> ------------------------------------------------------------------------------
> Benefiting from Server Virtualization: Beyond Initial Workload
> Consolidation -- Increasing the use of server virtualization is a top
> priority.Virtualization can reduce costs, simplify management, and improve
> application availability and disaster protection. Learn more about boosting
> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>




More information about the Snort-sigs mailing list