snort-sigs February 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] FP on 18372

Re: [Snort-sigs] FP on 18372

From: Alex Kirk <akirk_at_nospam>
Date: Wed Feb 16 2011 - 14:55:43 GMT
To: Joel Esler <jesler@sourcefire.com>

He does - ironically enough, that SID was updated to rev:3 yesterday because
the original User-Agent string used in the rule produced FPs with
RealPlayer.

Digging a bit deeper on "contype", it seems that it has mixed uses -
sometimes bots use it (as would have been the case in the malware sandbox),
sometimes legit apps use it. We'll dig a different User-Agent out of the DB,
vet it more thoroughly, and hopefully the third time will be a charm.

On Wed, Feb 16, 2011 at 9:52 AM, Joel Esler <jesler@sourcefire.com> wrote:

> Are you sure you have the SID right? My 18372, rev:2, doesn't have that
> content match in it at all.
>
> Joel
>
> On Feb 16, 2011, at 9:43 AM, Weir, Jason wrote:
>
> > Looks like a client downloading flash content...
> >
> > GET
> > /portal/server.pt/gateway/PTARGS_0_2_23634_14364_435710_43/http%3B/pubco
> > ntent.state.pa.us/publishedcontent/publish/cop_general_government_operat
> > ions/sers/branding/flash/animation_homepage2.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.sers.state.pa.us
> > Cookie: *****removed******
> >
> > GET /swf/masthead_large.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.wxrv.com
> > Cookie: *****removed******
> >
> > GET /multimedia/archive/00379/sivananda_sports_379768a.swf HTTP/1.1
> > Accept: */*
> > User-Agent: contype
> > Host: www.thehindu.com
> >
> > Can we improve on this rule?
> >
> > -J
> >
>
> --
> Joel Esler
> jesler () sourcefire.com
> http://blog.snort.org && http://blog.clamav.net
>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>

-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk@sourcefire.com

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org