[Snort-sigs] FILE-IDENTIFY FON font file download request (1:20269)

Alex McDonnell amcdonnell at ...435...
Mon May 11 08:45:58 EDT 2015


Hey Anthony,

   This rule is currently pending a policy review, it will likely be
excluded from balanced-ips going forward. The thought behind this rule is
that .fon files are basically dll files that have font files in the
resource section. This, like .scr and .cpl files, can lead to people
running programs because they don't think it's an executable.

thanks
Alex McDonnell
TALOS

On Mon, May 11, 2015 at 7:43 AM, Rodgers, Anthony (DTMB) <
RodgersA1 at ...3985...> wrote:

>  Perhaps we should negate geo.kaspersky.com for this sig?
>
>
>
> It fires every morning for a host on our network that updates its AV sigs:
>
>
>
> GET /diffs/bases/wmuf/wmuf0005.dat.fon HTTP/1.0
>
> Host: dnl-11.geo.kaspersky.com
>
> Pragma: no-cache
>
> Cache-Control: no-cache
>
> Connection: keep-alive
>
> User-Agent: liByyC5fj_zqmQyr3w_1hp05wkkxu56lll-9u4uBVANMTAuMS4yNDk=
>
>
>
> --
>
> Anthony Rodgers
>
> Security Analyst
>
> Michigan Security Operations Center (MiSOC)
>
> DTMB, Michigan Cyber Security
>
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150511/a4669e2f/attachment.html>


More information about the Snort-sigs mailing list