Home page logo
/

snort logo Snort mailing list archives

Re: FP 13628
From: rmkml <rmkml () yahoo fr>
Date: Tue, 9 Nov 2010 07:47:50 +0100 (CET)

Hi James,
Thx you for feedback,
maybe add this pcre for reducing FP: pcre:!"/\.mdb[a-z]/Ui";
Regards
Rmkml
(SFCP)


On Tue, 12 Oct 2010, Lay, James wrote:

Rule:
web-client.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Access file download 
request"; flow:to_server,established;
content:"GET"; nocase; content:".mdb"; nocase; http_uri; metadata:service http; 
reference:url,support.microsoft.com/kb/925330; classtype:misc-activity;
sid:13628; rev:3;)

Hit:
10/12-08:48:12.137728  [**] [1:13628:3] WEB-CLIENT Microsoft Access file download request [**] [Classification: Misc 
activity] [Priority: 3] {TCP}
external_ip:35650 -> 74.203.241.33:80

Partial packet dump
08:48:12.137728 IP 66.193.105.132.35650 > 74.203.241.33.80: Flags [.], ack 2324326637, win 65535, length 536
        0x0000:  4500 0240 7b1a 0000 7e06 d76b 42c1 6984  E.. () { ~ kB i         0x0010:  4acb f121 8b42 0050 e92c d348 8a8a 68ed  J..!.B.P.,.H..h.
        0x0020:  5010 ffff 02d1 0000 4745 5420 2f75 732f  P.......GET./us/
        0x0030:  7231 3030 302f 3034 322f 4665 6174 7572  r1000/042/Featur
        0x0040:  6573 2f63 342f 3064 2f33 662f 646a 2e6d  es/c4/0d/3f/dj.m
        0x0050:  6462 6d74 746b 742e 3735 7837 352d 3635  dbmttkt.75x75-65
        0x0060:  2e6a 7067 2048 5454 502f 312e 310d 0a56  .jpg.HTTP/1.1..V
        0x0110:  4230 355b 4345 5d0d 0a55 7365 722d 4167  B05[CE]..User-Ag
        0x0120:  656e 743a 2069 5475 6e65 732f 3130 2e30  ent:.iTunes/10.0
        0x0130:  2e31 2028 5769 6e64 6f77 733b 204d 6963  .1.(Windows;.Mic
        0x0140:  726f 736f 6674 2057 696e 646f 7773 2058  rosoft.Windows.X
        0x0150:  5020 5072 6f66 6573 7369 6f6e 616c 2053  P.Professional.S
        0x0160:  6572 7669 6365 2050 6163 6b20 3320 2842  ervice.Pack.3.(B
        0x0170:  7569 6c64 2032 3630 3029 2920 4170 706c  uild.2600)).Appl
        0x0180:  6557 6562 4b69 742f 3533 332e 3138 2e31  eWebKit/533.18.1
        0x0190:  0d0a 486f 7374 3a20 6131 2e70 686f 626f  ..Host:.a1.phobo
        0x01a0:  732e 6170 706c 652e 636f 6d0d 0a52 6566  s.apple.com..Ref
        0x01b0:  6572 6572 3a20 6874 7470 3a2f 2f61 782e  erer:.http://ax.
        0x01c0:  6974 756e 6573 2e61 7070 6c65 2e63 6f6d  itunes.apple.com
        0x01d0:  2f57 6562 4f62 6a65 6374 732f 4d5a 5374  /WebObjects/MZSt
        0x01e0:  6f72 652e 776f 612f 7761 2f76 6965 7747  ore.woa/wa/viewG
        0x01f0:  726f 7570 696e 673f 6964 3d33 370d 0a41  rouping?id=37..A
        0x0200:  6363 6570 743a 202a 2f2a 0d0a 4163 6365  ccept:.*/*..Acce
        0x0210:  7074 2d4c 616e 6775 6167 653a 2065 6e2d  pt-Language:.en-
        0x0220:  7573 2c20 656e 3b71 3d30 2e35 300d 0a58  us,.en;q=0.50..X
        0x0230:  2d41 7070 6c65 2d43 7569 643a 2066 3335  -Apple-Cuid:.f35
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]