[Snort-sigs] FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get

Matt Olney molney at ...435...
Sun Mar 13 18:58:07 EDT 2011

Actually, in this case this isn't a false positive.  The alert is on a
web get with a user agent "iexp-get" which is associated with
baidu.com.  Baidu is considered adware and malware from some sources
(I'm not judging one way or another) and has a rule here for use if
you see fit.  So you have a policy decision.  If you allow the baidu
service, you can disable the rule.  Otherwise, it worked :)

Ghost makes a good point on properly terminating string searches.  We
correctly do that here and limit the search to the header:
 content:"User-Agent|3A| iexp-get|0D 0A|"; nocase; http_header;

The metadata:impact_flag is used by the Sourcefire appliance to
prioritize alerts.  In certain circumstances, particularly in malware,
we need to explicitly call out the level of the alert.  This has no
impact on opensource users.


On Sun, Mar 13, 2011 at 5:19 PM, Jason Haar <Jason.Haar at ...651...> wrote:
> We just had this trigger when a user downloaded an update from Baidu.com
> The URLs were
> GET http://dzl.baidu.com/update/cab/realname.dat
> GET http://dzl.baidu.com/iexp/config/control.ini
> The rule is a combination of a User-Agent match and a
> "metadata:impact_flag" (does the latter mean there's some extra checks
> going on or is that simply a classification tag?)
> I found a hit from Emerging-sigs from last year about it as a FP too - I
> guess Sourceforge is a bit behind on this one? ;-)
> http://answerpot.com/showthread.php?1019370-need+info+for+Baidu+2003608
> I can ship the PCAP if you want it (it's got the user's cookies - so I
> won't publish here)
> --
> Cheers
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> ------------------------------------------------------------------------------
> Colocation vs. Managed Hosting
> A question and answer guide to determining the best fit
> for your organization - today and in the future.
> http://p.sf.net/sfu/internap-sfd2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org

More information about the Snort-sigs mailing list