snort-sigs February 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] FP on 18372

Re: [Snort-sigs] FP on 18372

From: Weir, Jason <jason.weir_at_nospam>
Date: Wed Feb 16 2011 - 14:56:15 GMT
To: "Joel Esler" <jesler@sourcefire.com>

Thanks Joel...

I have this (rev:3)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
USER-AGENT known malicious user-agent string contype";
flow:to_server,established; content:"User-Agent|3A| contype|0D 0A|";
nocase; http_header; metadata:impact_flag red, service http;
reference:url,labs.snort.org/docs/18372.html; classtype:trojan-activity;
sid:18372; rev:3;)

-J

> -----Original Message-----
> From: Joel Esler [mailto:jesler@sourcefire.com]
> Sent: Wednesday, February 16, 2011 9:52 AM
> To: Weir, Jason
> Cc: snort-sigs@lists.sourceforge.net
> Subject: Re: [Snort-sigs] FP on 18372
>
>
> Are you sure you have the SID right? My 18372, rev:2,
> doesn't have that content match in it at all.
>
> Joel
>
> On Feb 16, 2011, at 9:43 AM, Weir, Jason wrote:
>
> > Looks like a client downloading flash content...
> >
> > GET
> >
> /portal/server.pt/gateway/PTARGS_0_2_23634_14364_435710_43/htt
> p%3B/pubco
> >
> ntent.state.pa.us/publishedcontent/publish/cop_general_governm
> ent_operat
> > ions/sers/branding/flash/animation_homepage2.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.sers.state.pa.us
> > Cookie: *****removed******
> >
> > GET /swf/masthead_large.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.wxrv.com
> > Cookie: *****removed******
> >
> > GET /multimedia/archive/00379/sivananda_sports_379768a.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.thehindu.com
> >
> > Can we improve on this rule?
> >
> > -J
> >
>
> --
> Joel Esler
> jesler () sourcefire.com
> http://blog.snort.org && http://blog.clamav.net

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org