Snort mailing list archives
Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get
From: Matt Olney <molney () sourcefire com>
Date: Sun, 13 Mar 2011 18:58:07 -0400
Actually, in this case this isn't a false positive. The alert is on a web get with a user agent "iexp-get" which is associated with baidu.com. Baidu is considered adware and malware from some sources (I'm not judging one way or another) and has a rule here for use if you see fit. So you have a policy decision. If you allow the baidu service, you can disable the rule. Otherwise, it worked :) Ghost makes a good point on properly terminating string searches. We correctly do that here and limit the search to the header: content:"User-Agent|3A| iexp-get|0D 0A|"; nocase; http_header; The metadata:impact_flag is used by the Sourcefire appliance to prioritize alerts. In certain circumstances, particularly in malware, we need to explicitly call out the level of the alert. This has no impact on opensource users. Matt On Sun, Mar 13, 2011 at 5:19 PM, Jason Haar <Jason.Haar () trimble co nz> wrote:
We just had this trigger when a user downloaded an update from Baidu.com The URLs were GET http://dzl.baidu.com/update/cab/realname.dat GET http://dzl.baidu.com/iexp/config/control.ini The rule is a combination of a User-Agent match and a "metadata:impact_flag" (does the latter mean there's some extra checks going on or is that simply a classification tag?) I found a hit from Emerging-sigs from last year about it as a FP too - I guess Sourceforge is a bit behind on this one? ;-) http://answerpot.com/showthread.php?1019370-need+info+for+Baidu+2003608 I can ship the PCAP if you want it (it's got the user's cookies - so I won't publish here) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Jason Haar (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Matt Olney (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get evilghost () packetmail net (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Matt Olney (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Jason Haar (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get evilghost () packetmail net (Mar 13)