[Snort-sigs] FILE-IDENTIFY FON font file download request (1:20269)

Rodgers, Anthony (DTMB) RodgersA1 at ...3985...
Mon May 11 09:27:52 EDT 2015


Cool – thanks!

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: Alex McDonnell [mailto:amcdonnell at ...435...]
Sent: Monday, May 11, 2015 08:46
To: Rodgers, Anthony (DTMB)
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] FILE-IDENTIFY FON font file download request (1:20269)

Hey Anthony,

   This rule is currently pending a policy review, it will likely be excluded from balanced-ips going forward. The thought behind this rule is that .fon files are basically dll files that have font files in the resource section. This, like .scr and .cpl files, can lead to people running programs because they don't think it's an executable.

thanks
Alex McDonnell
TALOS

On Mon, May 11, 2015 at 7:43 AM, Rodgers, Anthony (DTMB) <RodgersA1 at ...3985...<mailto:RodgersA1 at ...3985...>> wrote:
Perhaps we should negate geo.kaspersky.com<http://geo.kaspersky.com> for this sig?

It fires every morning for a host on our network that updates its AV sigs:

GET /diffs/bases/wmuf/wmuf0005.dat.fon HTTP/1.0
Host: dnl-11.geo.kaspersky.com<http://dnl-11.geo.kaspersky.com>
Pragma: no-cache
Cache-Control: no-cache
Connection: keep-alive
User-Agent: liByyC5fj_zqmQyr3w_1hp05wkkxu56lll-9u4uBVANMTAuMS4yNDk=

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150511/3fb6eafa/attachment.html>


More information about the Snort-sigs mailing list