[Snort-users] Netflix

Paul Cable pcable at ...15769...
Tue Aug 21 15:31:42 EDT 2012

Here is a pcap. About 100 of these were produced when starting the player.

Let me know if you have a different preference for file hosting, or need more information. I'm still pretty new to this.



From: Joel Esler [mailto:jesler at ...1935...]
Sent: Tuesday, August 21, 2012 2:28 PM
To: Paul Cable
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Netflix

On Aug 21, 2012, at 10:49 AM, Paul Cable <pcable at ...15769...<mailto:pcable at ...15769...>> wrote:

I am running Snort through the Alienvault Community edition.

We have a guy that likes to watch Netflix and use his Slingbox here. I'm not a big fan, but it hasn't affected our internet connection speeds so I can't really complain if it doesn't hurt his production.

The problem is Netflix produces a lot of:

snort: "WEB-CLIENT Mozilla multiple content-type headers malicious redirect attempt"

First comes one:

snort: "ET POLICY Netflix Streaming Player Access"

Followed by a very large amount of the malicious redirect attempt messages. I started up a video and let it play for about 3 minutes and it generated 50-100 of these events. IE and Firefox.

I can suppress them on my end, but it would be nice to have them as part of the definitions say they are Netflix related, since I don't think they should be considered malicious.

Then when I do get a malicious redirect attempt I won't think it's just Netflix.

I can provide more information or a pcap file if anyone needs more info.

We'd be glad to accept a pcap so we can try and take a look at this and see if it's a false positive, or we can tune the rule somehow.


Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120821/780ed457/attachment.html>

More information about the Snort-users mailing list