[Snort-sigs] FP on 18372

Weir, Jason jason.weir at ...3410...
Wed Feb 16 09:56:15 EST 2011


Thanks Joel...

I have this (rev:3)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
USER-AGENT known malicious user-agent string contype";
flow:to_server,established; content:"User-Agent|3A| contype|0D 0A|";
nocase; http_header; metadata:impact_flag red, service http;
reference:url,labs.snort.org/docs/18372.html; classtype:trojan-activity;
sid:18372; rev:3;)

-J

> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...435...] 
> Sent: Wednesday, February 16, 2011 9:52 AM
> To: Weir, Jason
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] FP on 18372
> 
> 
> Are you sure you have the SID right?  My 18372, rev:2, 
> doesn't have that content match in it at all.
> 
> Joel
> 
> On Feb 16, 2011, at 9:43 AM, Weir, Jason wrote:
> 
> > Looks like a client downloading flash content...
> > 
> > GET
> > 
> /portal/server.pt/gateway/PTARGS_0_2_23634_14364_435710_43/htt
> p%3B/pubco
> > 
> ntent.state.pa.us/publishedcontent/publish/cop_general_governm
> ent_operat
> > ions/sers/branding/flash/animation_homepage2.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.sers.state.pa.us
> > Cookie: *****removed******
> > 
> > GET /swf/masthead_large.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.wxrv.com
> > Cookie: *****removed******
> > 
> > GET /multimedia/archive/00379/sivananda_sports_379768a.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.thehindu.com
> > 
> > Can we improve on this rule?
> > 
> > -J
> > 
> 
> --
> Joel Esler
> jesler () sourcefire.com
> http://blog.snort.org && http://blog.clamav.net


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


More information about the Snort-sigs mailing list