[Snort-users] Netflix

Joel Esler jesler at ...1935...
Tue Aug 21 14:27:59 EDT 2012


On Aug 21, 2012, at 10:49 AM, Paul Cable <pcable at ...15769...> wrote:

> I am running Snort through the Alienvault Community edition.
>  
> We have a guy that likes to watch Netflix and use his Slingbox here. I’m not a big fan, but it hasn’t affected our internet connection speeds so I can’t really complain if it doesn’t hurt his production.
>  
> The problem is Netflix produces a lot of:
>  
> snort: "WEB-CLIENT Mozilla multiple content-type headers malicious redirect attempt"
>  
> First comes one:
>  
> snort: "ET POLICY Netflix Streaming Player Access"
>  
> Followed by a very large amount of the malicious redirect attempt messages. I started up a video and let it play for about 3 minutes and it generated 50-100 of these events. IE and Firefox.
>  
> I can suppress them on my end, but it would be nice to have them as part of the definitions say they are Netflix related, since I don’t think they should be considered malicious.
>  
> Then when I do get a malicious redirect attempt I won’t think it’s just Netflix.
>  
> I can provide more information or a pcap file if anyone needs more info.
>  

We'd be glad to accept a pcap so we can try and take a look at this and see if it's a false positive, or we can tune the rule somehow.

Thanks.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120821/a8a1eace/attachment.html>


More information about the Snort-users mailing list