[Snort-sigs] FP on 18372

Joel Esler jesler at ...435...
Wed Feb 16 10:01:35 EST 2011


OOOP!  Forgot to update my rules yesterday.  

I'm horrible.  

J

On Feb 16, 2011, at 9:55 AM, Alex Kirk wrote:

> He does - ironically enough, that SID was updated to rev:3 yesterday because the original User-Agent string used in the rule produced FPs with RealPlayer.
> 
> Digging a bit deeper on "contype", it seems that it has mixed uses - sometimes bots use it (as would have been the case in the malware sandbox), sometimes legit apps use it. We'll dig a different User-Agent out of the DB, vet it more thoroughly, and hopefully the third time will be a charm.
> 
> On Wed, Feb 16, 2011 at 9:52 AM, Joel Esler <jesler at ...435...> wrote:
> Are you sure you have the SID right?  My 18372, rev:2, doesn't have that content match in it at all.
> 
> Joel
> 
> On Feb 16, 2011, at 9:43 AM, Weir, Jason wrote:
> 
> > Looks like a client downloading flash content...
> >
> > GET
> > /portal/server.pt/gateway/PTARGS_0_2_23634_14364_435710_43/http%3B/pubco
> > ntent.state.pa.us/publishedcontent/publish/cop_general_government_operat
> > ions/sers/branding/flash/animation_homepage2.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.sers.state.pa.us
> > Cookie: *****removed******
> >
> > GET /swf/masthead_large.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.wxrv.com
> > Cookie: *****removed******
> >
> > GET /multimedia/archive/00379/sivananda_sports_379768a.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.thehindu.com
> >
> > Can we improve on this rule?
> >
> > -J
> >
> 
> --
> Joel Esler
> jesler () sourcefire.com
> http://blog.snort.org && http://blog.clamav.net
> 
> 
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> 
> -- 
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk at ...435...

--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110216/7f86f07e/attachment.html>


More information about the Snort-sigs mailing list