Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WEB-CLIENT Excel malformed FBI record - False positive?

From: Jesper Skou Jensen <jesper.skou.jensen () uni-c dk>
Date: Wed, 09 Jul 2008 11:52:13 +0200
Jack Pepper wrote:

Check the config file for accuracy, or check that the snort service is  
using the same config file that you think it's using.


Joel Esler wrote:

Do you have two HOME_NET lines in your snort.conf file?  I'm not saying
anything bad or anything, but it looks like to me that you have two
HOME_NET definitions.



D'oh... You guys were spot on.

It turns out that Debian is just a bit too smart at times... They have 
their own config file with a few entries (inluding home_net) that it 
uses, instead of those in the snort.conf file.

Thank you guys for spotting this.


It's a bit weird though, that the rule fires at all, because from what I 
can gather from the server-logs, there are no Excel files on it, only 
Word Documents, and the Word Docuemnt that was downloaded when this 
alert fired, is not malicious according to www.virustotal.com so I doubt 
there is anything fishy in it.


-- 

   Jesper S. Jensen
Basisnet og Sikkerhed
Uni-C - Ã…rhus, Danmark
    +45 8937-6666

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: