[Snort-sigs] Snort Rule 40755 and Shockwave Flash detection

Jonathan A. Yee jyee at ...4215...
Wed Jan 11 19:44:24 EST 2017


Hi all,

Apologies of this is posted to the incorrect mailing list.

One of our SourceFire boxes has been getting many alerts in relation to 
SID 40755 "FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt" 
on seemingly innocuous Shockwave Flash sites.  The entire rule is:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any 
(msg:"FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt"; 
flow:to_client,established; file_data; content:"FWS"; depth:3; 
content:"|1F 10 75 19 24 31 24|"; content:"|00|"; within:1; distance:25; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
ftp-data, service http, service imap, service pop3; 
reference:url,www.virustotal.com/en/file/1613acd34bfb85121bef0cd7a5cc572967912f9f674eefd7175f42ad2099e3d1/analysis/; 
classtype:attempted-user; sid:40755; rev:1; )

After examining the packet information, I can't seem to find a single 
occurrence of either the string or binary data within any of the 
frames.  However, the rule does seem to be triggering at seemingly 
random intervals.  I've tried going to the specific URIs and have not 
been able to forcibly trigger the rule.  I've checked the hash of each 
SWF file it's triggering on and not a single one matches the reference 
found in VT.  This leads me to believe that the rules is too broadly 
written and is causing false positives.

I was wondering if anyone had seen something similar or might have some 
insight for why this rule might be triggering on different SWF files.

Thanks in advance.

-- 
Jonathan (Jay) Yee
New Professional
Network Monitoring Team at SSCPAC
RDT&E Network Security, Code 82900
619-553-1064

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170111/1c98dda4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1832 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170111/1c98dda4/attachment.bin>


More information about the Snort-sigs mailing list