[Snort-sigs] FP on 18372

Alex Kirk akirk at ...435...
Wed Feb 16 09:55:43 EST 2011


He does - ironically enough, that SID was updated to rev:3 yesterday because
the original User-Agent string used in the rule produced FPs with
RealPlayer.

Digging a bit deeper on "contype", it seems that it has mixed uses -
sometimes bots use it (as would have been the case in the malware sandbox),
sometimes legit apps use it. We'll dig a different User-Agent out of the DB,
vet it more thoroughly, and hopefully the third time will be a charm.

On Wed, Feb 16, 2011 at 9:52 AM, Joel Esler <jesler at ...435...> wrote:

> Are you sure you have the SID right?  My 18372, rev:2, doesn't have that
> content match in it at all.
>
> Joel
>
> On Feb 16, 2011, at 9:43 AM, Weir, Jason wrote:
>
> > Looks like a client downloading flash content...
> >
> > GET
> > /portal/server.pt/gateway/PTARGS_0_2_23634_14364_435710_43/http%3B/pubco
> > ntent.state.pa.us/publishedcontent/publish/cop_general_government_operat
> > ions/sers/branding/flash/animation_homepage2.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.sers.state.pa.us
> > Cookie: *****removed******
> >
> > GET /swf/masthead_large.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.wxrv.com
> > Cookie: *****removed******
> >
> > GET /multimedia/archive/00379/sivananda_sports_379768a.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.thehindu.com
> >
> > Can we improve on this rule?
> >
> > -J
> >
>
> --
> Joel Esler
> jesler () sourcefire.com
> http://blog.snort.org && http://blog.clamav.net
>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110216/18fe1a6c/attachment.html>


More information about the Snort-sigs mailing list