[Snort-sigs] SID 39379 Norton Antivirus ASPack

Charlie Dyer charlierwdyer at ...2420...
Mon Feb 13 15:18:10 EST 2017


Thanks, how do I see the compiled code which is the root cause of this
false positive I'm seeing?
I'm seeing an Acrobat Reader executable being pushed out causing alerts for
this rule.

On Mon, Feb 13, 2017 at 8:10 PM, Y M <snort at ...3751...> wrote:

> A similar question came up the other day. This is a gid:3 rule, a Shared
> Object rule. The detection part is actually a compiled code and what you
> see is the rule stub. The flowbits is set by another rule to make sure that
> the detection alerts on executable files.
>
> https://www.snort.org/faq/shared-object-rules
>
> YM
>
>
> ------------------------------
> *From:* Charlie Dyer <charlierwdyer at ...2420...>
> *Sent:* Monday, February 13, 2017 11:01:50 PM
> *To:* snort-sigs at lists.sourceforge.net
> *Subject:* [Snort-sigs] SID 39379 Norton Antivirus ASPack
>
> Hello list
>
> Could anyone shed light on the rule 39379?
>
> I can't see any content matching, it simply alerts on any file that is an
> executable being downloaded, is that right?
> If so, what has this got to do with Norton Antivirus?
>
> Many thanks in advance.
>
> Charlie
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170213/0a75b91c/attachment.html>


More information about the Snort-sigs mailing list