[Snort-sigs] FILE-IDENTIFY FON font file download request (1:20269)

Rodgers, Anthony (DTMB) RodgersA1 at ...3985...
Mon May 11 07:43:17 EDT 2015

Perhaps we should negate geo.kaspersky.com for this sig?

It fires every morning for a host on our network that updates its AV sigs:

GET /diffs/bases/wmuf/wmuf0005.dat.fon HTTP/1.0
Host: dnl-11.geo.kaspersky.com
Pragma: no-cache
Cache-Control: no-cache
Connection: keep-alive
User-Agent: liByyC5fj_zqmQyr3w_1hp05wkkxu56lll-9u4uBVANMTAuMS4yNDk=

Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150511/20cfe641/attachment.html>

More information about the Snort-sigs mailing list