[Snort-sigs] FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get

Jason Haar Jason.Haar at ...651...
Sun Mar 13 17:19:55 EDT 2011

We just had this trigger when a user downloaded an update from Baidu.com

The URLs were

GET http://dzl.baidu.com/update/cab/realname.dat
GET http://dzl.baidu.com/iexp/config/control.ini

The rule is a combination of a User-Agent match and a
"metadata:impact_flag" (does the latter mean there's some extra checks
going on or is that simply a classification tag?)

I found a hit from Emerging-sigs from last year about it as a FP too - I
guess Sourceforge is a bit behind on this one? ;-)


I can ship the PCAP if you want it (it's got the user's cookies - so I
won't publish here)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list