Re: [Snort-sigs] FP on 18372

Are you sure you have the SID right? My 18372, rev:2, doesn't have that content match in it at all.

Joel

On Feb 16, 2011, at 9:43 AM, Weir, Jason wrote:

> Looks like a client downloading flash content...
>
> GET
> /portal/server.pt/gateway/PTARGS_0_2_23634_14364_435710_43/http%3B/pubco
> ntent.state.pa.us/publishedcontent/publish/cop_general_government_operat
> ions/sers/branding/flash/animation_homepage2.swf HTTP/1.1
> Accept: */*
> User-Agent: contype
> Host: www.sers.state.pa.us
> Cookie: *****removed******
>
> GET /swf/masthead_large.swf HTTP/1.1
> Accept: */*
> User-Agent: contype
> Host: www.wxrv.com
> Cookie: *****removed******
>
> GET /multimedia/archive/00379/sivananda_sports_379768a.swf HTTP/1.1
> Accept: */*
> User-Agent: contype
> Host: www.thehindu.com
>
> Can we improve on this rule?
>
> -J
>

-- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-sigs mailing list Snort-sigs@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org

• This message: [ Message body ]
• Next message: Weir, Jason: "Re: [Snort-sigs] FP on 18372"
• Previous message: Weir, Jason: "[Snort-sigs] FP on 18372"
• In reply to: Weir, Jason: "[Snort-sigs] FP on 18372"
• Next in thread: Weir, Jason: "Re: [Snort-sigs] FP on 18372"
• Reply: Weir, Jason: "Re: [Snort-sigs] FP on 18372"
• Reply: Alex Kirk: "Re: [Snort-sigs] FP on 18372"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]