[Snort-users] Netflix

Joel Esler jesler at ...1935...
Tue Aug 21 17:40:55 EDT 2012


Thanks Paul, I'll have one of our guys take a look.


On Aug 21, 2012, at 3:31 PM, Paul Cable <pcable at ...15769...> wrote:

> Here is a pcap. About 100 of these were produced when starting the player.
>  
> Let me know if you have a different preference for file hosting, or need more information. I’m still pretty new to this.
>  
> http://www.filedropper.com/packetebc511e18e5100016c91b7aee05d4696
>  
>  
> Thanks,
> PC
>  
>  
>  
>  
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Tuesday, August 21, 2012 2:28 PM
> To: Paul Cable
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Netflix
>  
>  
> On Aug 21, 2012, at 10:49 AM, Paul Cable <pcable at ...15769...> wrote:
> 
> 
> I am running Snort through the Alienvault Community edition.
>  
> We have a guy that likes to watch Netflix and use his Slingbox here. I’m not a big fan, but it hasn’t affected our internet connection speeds so I can’t really complain if it doesn’t hurt his production.
>  
> The problem is Netflix produces a lot of:
>  
> snort: "WEB-CLIENT Mozilla multiple content-type headers malicious redirect attempt"
>  
> First comes one:
>  
> snort: "ET POLICY Netflix Streaming Player Access"
>  
> Followed by a very large amount of the malicious redirect attempt messages. I started up a video and let it play for about 3 minutes and it generated 50-100 of these events. IE and Firefox.
>  
> I can suppress them on my end, but it would be nice to have them as part of the definitions say they are Netflix related, since I don’t think they should be considered malicious.
>  
> Then when I do get a malicious redirect attempt I won’t think it’s just Netflix.
>  
> I can provide more information or a pcap file if anyone needs more info.
>  
>  
> We'd be glad to accept a pcap so we can try and take a look at this and see if it's a false positive, or we can tune the rule somehow.
>  
> Thanks.
>  
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120821/1575ee34/attachment.html>


More information about the Snort-users mailing list