[Snort-users] WEB-CLIENT Content-Disposition CLSID command attempt (Sig 1:2589) on google ip ranges?

Alex Kirk akirk at ...1935...
Tue Nov 10 15:23:26 EST 2009


Do you have a PCAP? I've been unable to reproduce this by going to the IPs
you've listed here - the Content-Disposition header is simply not present.

On Tue, Nov 10, 2009 at 3:11 PM, Chan, Wilson <wchan at ...14702...> wrote:

>  Anyone have any ideas why Snort is trigger this CLSID rule on google ip
> ranges?
>
>
>
> ==Snort Event==
>
> http://pastebin.ca/1665359
>
>
>
>
>
> *http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0420*
>
> *http://www.snortid.com/snortid.asp?QueryID=1:2589*
>
> * *
>
>
>
> These 5 ips owned by google is triggering this alert.
>
> 66.102.7.99
>
> 72.14.213.91
>
> 72.14.213.93
>
> 72.14.213.136
>
> 72.14.213.190
>
>
>
> OrgName:    Google Inc.
>
> NetRange:   72.14.192.0 - 72.14.255.255
>
> CIDR:       72.14.192.0/18
>
> NetRange:   66.102.0.0 - 66.102.15.255
>
> CIDR:       66.102.0.0/20
>
> NetName:    GOOGLE
>
>
>
>
>
> *Wilson *
>
>
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091110/db768494/attachment.html>


More information about the Snort-users mailing list