[Snort-users] WEB-CLIENT Content-Disposition CLSID command attempt(Sig 1:2589) on google ip ranges?

Chan, Wilson wchan at ...14702...
Tue Nov 10 15:47:24 EST 2009


Since it seems to be legit do we ignore the event or should a
suppression rule be written for the google IP ranges?


Wilson

-----Original Message-----
From: Adam Richards [mailto:adam.richards at ...14685...] 
Sent: Tuesday, November 10, 2009 10:29 AM
To: Chan, Wilson; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] WEB-CLIENT Content-Disposition CLSID command
attempt(Sig 1:2589) on google ip ranges?

Because of the string
AlbumArt_{29D4B86B-D143-4A32-83DA-4E535DADD8BF}_Large.jpg

In particular the {29D4B86B-D143-4A32-83DA-4E535DADD8BF} part.

Check out http://www.securityfocus.com/archive/1/351379

 

 

Adam Richards,CISSP

Sr. Systems Engineer

General Dynamics IT

1775 Jimmie Davis Hwy

Bossier City, LA 71112

318.868.4911

 

From: Chan, Wilson [mailto:wchan at ...14702...] 
Sent: Tuesday, November 10, 2009 2:12 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] WEB-CLIENT Content-Disposition CLSID command
attempt(Sig 1:2589) on google ip ranges?

 

Anyone have any ideas why Snort is trigger this CLSID rule on google ip
ranges?

 

==Snort Event==

http://pastebin.ca/1665359

 

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0420

http://www.snortid.com/snortid.asp?QueryID=1:2589

 

 

These 5 ips owned by google is triggering this alert.

66.102.7.99

72.14.213.91

72.14.213.93

72.14.213.136

72.14.213.190

 

OrgName:    Google Inc.

NetRange:   72.14.192.0 - 72.14.255.255

CIDR:       72.14.192.0/18

NetRange:   66.102.0.0 - 66.102.15.255

CIDR:       66.102.0.0/20

NetName:    GOOGLE

 

 

Wilson 

 


No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 9.0.704 / Virus Database: 270.14.57/2492 - Release Date:
11/09/09 21:38:00





More information about the Snort-users mailing list