<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body dir="auto">
<div>Charlie,</div>
<div><br>
</div>
<div>Can you submit that to us with a pcap so we can take a look?</div>
<div><br>
</div>
<div><a href="http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html?m=1">http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html</a><br>
<br>
<div>--
<div>Sent from my iPhone</div>
</div>
</div>
<div><br>
On Mar 17, 2017, at 03:09, Charlie Dyer <<a href="mailto:charlierwdyer@...2420...">charlierwdyer@...2420...</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>
<div>Following on from the previous message, the repeating http://<host> in the URI is only present in the http.request.full_uri, it does not repeat when using http.request.uri.<br>
</div>
It also repeats in the Sourcefire GUI under Full Request URI.<br>
<br>
</div>
Was this a hastily released rule as I cannot see the SID in any recent release.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Mar 17, 2017 at 7:47 AM, Charlie Dyer <span dir="ltr">
<<a href="mailto:charlierwdyer@...2420..." target="_blank">charlierwdyer@...2420...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>Hello<br>
<br>
</div>
Below are a list of hosts that are the destination of HTTP GETs that are triggering the above rule, obviously not much detail on why, can't really post all the URI data but here are a few:<br>
<br>
<a href="http://media.rightmove.co">http://media.rightmove.co</a>.<wbr>ukhttp://<a href="http://media.rightmove.co.uk/dir/1k/505/58618708/505_BAI170129_IMG_06_0000_max_656x437.JPG" target="_blank">media.rightmove.co.<wbr>uk/dir/1k/505/58618708/505_<wbr>BAI170129_IMG_06_0000_max_<wbr>656x437.JPG</a><br>
<br>
<a href="http://ib.adnxs.comhttp://">http://ib.adnxs.comhttp://</a><a href="http://ib.adnxs.com/setuid?entity=43&code=4044211960863159294" target="_blank">ib.<wbr>adnxs.com/setuid?entity=43&<wbr>code=4044211960863159294</a><br>
<br>
<a href="http://sync.adaptv">http://sync.adaptv</a>.<wbr>advertising.comhttp://<a href="http://sync.adaptv.advertising.com/turn_user_sync" target="_blank">sync.<wbr>adaptv.advertising.com/turn_<wbr>user_sync</a>?<br>
<br>
</div>
Weird how the URI has two '<a href="http://'">http://'</a> prefixes, in fact all the URIs have this.<br>
<br>
</div>
<div>Any ideas?<br>
<br>
</div>
Below are the hosts.<br>
<div>
<div><br>
<a href="http://a.tribalfusion.com" target="_blank">a.tribalfusion.com</a><br>
<a href="http://aax-eu.amazon-adsystem.com" target="_blank">aax-eu.amazon-adsystem.com</a><br>
<a href="http://ads.stickyadstv.com" target="_blank">ads.stickyadstv.com</a><br>
<a href="http://ads.yahoo.com" target="_blank">ads.yahoo.com</a><br>
<a href="http://b.scorecardresearch.com" target="_blank">b.scorecardresearch.com</a><br>
<a href="http://bat.bing.com" target="_blank">bat.bing.com</a><br>
<a href="http://bat.r.msn.com" target="_blank">bat.r.msn.com</a><br>
<a href="http://bcp.crwdcntrl.net" target="_blank">bcp.crwdcntrl.net</a><br>
<a href="http://beacon-eu-ams3.rubiconproject.com" target="_blank">beacon-eu-ams3.rubiconproject.<wbr>com</a><br>
<a href="http://bh.contextweb.com" target="_blank">bh.contextweb.com</a><br>
<a href="http://cdn.adacado.com" target="_blank">cdn.adacado.com</a><br>
<a href="http://choices-or.truste.com" target="_blank">choices-or.truste.com</a><br>
<a href="http://ckm-m.xp1.ru4.com" target="_blank">ckm-m.xp1.ru4.com</a><br>
<a href="http://dsum.casalemedia.com" target="_blank">dsum.casalemedia.com</a><br>
<a href="http://dt.adsafeprotected.com" target="_blank">dt.adsafeprotected.com</a><br>
<a href="http://evtvpaid.bfmio.com" target="_blank">evtvpaid.bfmio.com</a><br>
<a href="http://ib.adnxs.com" target="_blank">ib.adnxs.com</a><br>
<a href="http://image2.pubmatic.com" target="_blank">image2.pubmatic.com</a><br>
<a href="http://impression.mediaiqdigital.com" target="_blank">impression.mediaiqdigital.com</a><br>
<a href="http://match.adsrvr.org" target="_blank">match.adsrvr.org</a><br>
<a href="http://media.rightmove.co.uk" target="_blank">media.rightmove.co.uk</a><br>
<a href="http://ox-d.justpremium.com" target="_blank">ox-d.justpremium.com</a><br>
<a href="http://p.rfihub.com" target="_blank">p.rfihub.com</a><br>
<a href="http://pix04.revsci.net" target="_blank">pix04.revsci.net</a><br>
<a href="http://pixel.adsafeprotected.com" target="_blank">pixel.adsafeprotected.com</a><br>
<a href="http://pixel.mathtag.com" target="_blank">pixel.mathtag.com</a><br>
<a href="http://pixel.quantserve.com" target="_blank">pixel.quantserve.com</a><br>
<a href="http://pixel.rubiconproject.com" target="_blank">pixel.rubiconproject.com</a><br>
<a href="http://pixel-eu.rubiconproject.com" target="_blank">pixel-eu.rubiconproject.com</a><br>
<a href="http://sp.adbrn.com" target="_blank">sp.adbrn.com</a><br>
<a href="http://srv-2017-03-17-07.pixel.parsely.com" target="_blank">srv-2017-03-17-07.pixel.<wbr>parsely.com</a><br>
<a href="http://ssum.casalemedia.com" target="_blank">ssum.casalemedia.com</a><br>
<a href="http://su.addthis.com" target="_blank">su.addthis.com</a><br>
<a href="http://sync.adaptv.advertising.com" target="_blank">sync.adaptv.advertising.com</a><br>
<a href="http://sync.mathtag.com" target="_blank">sync.mathtag.com</a><br>
<a href="http://sync.search.spotxchange.com" target="_blank">sync.search.spotxchange.com</a><br>
<a href="http://tamil.oneindia.com" target="_blank">tamil.oneindia.com</a><br>
<a href="http://tapestry.tapad.com" target="_blank">tapestry.tapad.com</a><br>
<a href="http://tca-115.tca-rtb1.rfihub.net" target="_blank">tca-115.tca-rtb1.rfihub.net</a><br>
<a href="http://tps20204.doubleverify.com" target="_blank">tps20204.doubleverify.com</a><br>
<a href="http://tps611.doubleverify.com" target="_blank">tps611.doubleverify.com</a><br>
<a href="http://trc.taboola.com" target="_blank">trc.taboola.com</a><br>
<a href="http://w88.espn.com" target="_blank">w88.espn.com</a><br>
<a href="http://www.google-analytics.com" target="_blank">www.google-analytics.com</a><br>
<a href="http://www.rightmove.co.uk" target="_blank">www.rightmove.co.uk</a><br>
<a href="http://www.wtp101.co" target="_blank">www.wtp101.co</a><br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div><span>------------------------------------------------------------------------------</span><br>
<span>Check out the vibrant tech community on one of the world's most</span><br>
<span>engaging tech sites, <a href="http://Slashdot.org">Slashdot.org</a>! <a href="http://sdm.link/slashdot">
http://sdm.link/slashdot</a></span></div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>Snort-sigs mailing list</span><br>
<span><a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...2570...sourceforge.net</a></span><br>
<span><a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a></span><br>
<span></span><br>
<span><a href="http://www.snort.org">http://www.snort.org</a></span><br>
<span></span><br>
<span>Please visit <a href="http://blog.snort.org">http://blog.snort.org</a> for the latest news about Snort!</span><br>
<span></span><br>
<span>Visit the <a href="http://Snort.org">Snort.org</a> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href="
<a href="https://snort.org/downloads/#rule-downloads">https://snort.org/downloads/#rule-downloads</a>">emerging threats</a>!</span></div>
</blockquote>
</body>
</html>