[Snort-users] WEB-CLIENT Content-Disposition CLSID command attempt(Sig 1:2589) on google ip ranges?

Joel Esler jesler at ...1935...
Tue Nov 10 18:13:11 EST 2009


You should suppress the alert based on the IP ranges.

J

On Tue, Nov 10, 2009 at 3:47 PM, Chan, Wilson <wchan at ...14702...> wrote:

> Since it seems to be legit do we ignore the event or should a
> suppression rule be written for the google IP ranges?
>
>
> Wilson
>
> -----Original Message-----
> From: Adam Richards [mailto:adam.richards at ...14685...]
> Sent: Tuesday, November 10, 2009 10:29 AM
> To: Chan, Wilson; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] WEB-CLIENT Content-Disposition CLSID command
> attempt(Sig 1:2589) on google ip ranges?
>
> Because of the string
> AlbumArt_{29D4B86B-D143-4A32-83DA-4E535DADD8BF}_Large.jpg
>
> In particular the {29D4B86B-D143-4A32-83DA-4E535DADD8BF} part.
>
> Check out http://www.securityfocus.com/archive/1/351379
>
>
>
>
>
> Adam Richards,CISSP
>
> Sr. Systems Engineer
>
> General Dynamics IT
>
> 1775 Jimmie Davis Hwy
>
> Bossier City, LA 71112
>
> 318.868.4911
>
>
>
> From: Chan, Wilson [mailto:wchan at ...14702...]
> Sent: Tuesday, November 10, 2009 2:12 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] WEB-CLIENT Content-Disposition CLSID command
> attempt(Sig 1:2589) on google ip ranges?
>
>
>
> Anyone have any ideas why Snort is trigger this CLSID rule on google ip
> ranges?
>
>
>
> ==Snort Event==
>
> http://pastebin.ca/1665359
>
>
>
>
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0420
>
> http://www.snortid.com/snortid.asp?QueryID=1:2589
>
>
>
>
>
> These 5 ips owned by google is triggering this alert.
>
> 66.102.7.99
>
> 72.14.213.91
>
> 72.14.213.93
>
> 72.14.213.136
>
> 72.14.213.190
>
>
>
> OrgName:    Google Inc.
>
> NetRange:   72.14.192.0 - 72.14.255.255
>
> CIDR:       72.14.192.0/18
>
> NetRange:   66.102.0.0 - 66.102.15.255
>
> CIDR:       66.102.0.0/20
>
> NetName:    GOOGLE
>
>
>
>
>
> Wilson
>
>
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 9.0.704 / Virus Database: 270.14.57/2492 - Release Date:
> 11/09/09 21:38:00
>
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler | 302-223-5974 | gtalk: jesler at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091110/b8e37ac0/attachment.html>


More information about the Snort-users mailing list