[Snort-sigs] BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts

Charlie Dyer charlierwdyer at ...2420...
Fri Mar 17 03:47:48 EDT 2017


Hello

Below are a list of hosts that are the destination of HTTP GETs that are
triggering the above rule, obviously not much detail on why, can't really
post all the URI data but here are a few:

http://media.rightmove.co.ukhttp://
media.rightmove.co.uk/dir/1k/505/58618708/505_BAI170129_IMG_06_0000_max_656x437.JPG

http://ib.adnxs.comhttp://
ib.adnxs.com/setuid?entity=43&code=4044211960863159294

http://sync.adaptv.advertising.comhttp://
sync.adaptv.advertising.com/turn_user_sync?

Weird how the URI has two 'http://' prefixes, in fact all the URIs have
this.

Any ideas?

Below are the hosts.

a.tribalfusion.com
aax-eu.amazon-adsystem.com
ads.stickyadstv.com
ads.yahoo.com
b.scorecardresearch.com
bat.bing.com
bat.r.msn.com
bcp.crwdcntrl.net
beacon-eu-ams3.rubiconproject.com
bh.contextweb.com
cdn.adacado.com
choices-or.truste.com
ckm-m.xp1.ru4.com
dsum.casalemedia.com
dt.adsafeprotected.com
evtvpaid.bfmio.com
ib.adnxs.com
image2.pubmatic.com
impression.mediaiqdigital.com
match.adsrvr.org
media.rightmove.co.uk
ox-d.justpremium.com
p.rfihub.com
pix04.revsci.net
pixel.adsafeprotected.com
pixel.mathtag.com
pixel.quantserve.com
pixel.rubiconproject.com
pixel-eu.rubiconproject.com
sp.adbrn.com
srv-2017-03-17-07.pixel.parsely.com
ssum.casalemedia.com
su.addthis.com
sync.adaptv.advertising.com
sync.mathtag.com
sync.search.spotxchange.com
tamil.oneindia.com
tapestry.tapad.com
tca-115.tca-rtb1.rfihub.net
tps20204.doubleverify.com
tps611.doubleverify.com
trc.taboola.com
w88.espn.com
www.google-analytics.com
www.rightmove.co.uk
www.wtp101.co
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170317/eb83c8ca/attachment.html>


More information about the Snort-sigs mailing list