[Snort-sigs] FP on 18372

Joel Esler jesler at ...435...
Wed Feb 16 09:52:01 EST 2011


Are you sure you have the SID right?  My 18372, rev:2, doesn't have that content match in it at all.

Joel

On Feb 16, 2011, at 9:43 AM, Weir, Jason wrote:

> Looks like a client downloading flash content...
> 
> GET
> /portal/server.pt/gateway/PTARGS_0_2_23634_14364_435710_43/http%3B/pubco
> ntent.state.pa.us/publishedcontent/publish/cop_general_government_operat
> ions/sers/branding/flash/animation_homepage2.swf HTTP/1.1
> Accept: */*
> User-Agent: contype
> Host: www.sers.state.pa.us
> Cookie: *****removed******
> 
> GET /swf/masthead_large.swf HTTP/1.1
> Accept: */*
> User-Agent: contype
> Host: www.wxrv.com
> Cookie: *****removed******
> 
> GET /multimedia/archive/00379/sivananda_sports_379768a.swf HTTP/1.1
> Accept: */*
> User-Agent: contype
> Host: www.thehindu.com
> 
> Can we improve on this rule?
> 
> -J
> 

--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net





More information about the Snort-sigs mailing list