[Snort-sigs] FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get

Matt Olney molney at ...435...
Sun Mar 13 18:18:52 EDT 2011


Toss a pcap to research at ...435... and we'll look at it.

Matt

On Sun, Mar 13, 2011 at 5:19 PM, Jason Haar <Jason.Haar at ...651...> wrote:
> We just had this trigger when a user downloaded an update from Baidu.com
>
> The URLs were
>
> GET http://dzl.baidu.com/update/cab/realname.dat
> GET http://dzl.baidu.com/iexp/config/control.ini
>
> The rule is a combination of a User-Agent match and a
> "metadata:impact_flag" (does the latter mean there's some extra checks
> going on or is that simply a classification tag?)
>
> I found a hit from Emerging-sigs from last year about it as a FP too - I
> guess Sourceforge is a bit behind on this one? ;-)
>
> http://answerpot.com/showthread.php?1019370-need+info+for+Baidu+2003608
>
> I can ship the PCAP if you want it (it's got the user's cookies - so I
> won't publish here)
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> ------------------------------------------------------------------------------
> Colocation vs. Managed Hosting
> A question and answer guide to determining the best fit
> for your organization - today and in the future.
> http://p.sf.net/sfu/internap-sfd2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>




More information about the Snort-sigs mailing list