Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Fp ON 2001702

from [Michael Scheidell] Network Security [Permanent Link]
Subject: [Snort-sigs] Fp ON 2001702
Date: Mon, 4 Jul 2005 11:24:25 -0400 
Seems if you have sun java engine on your windows XP engine and attempt
to update it, you trigger the 2001702 signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity"; flow:
established,to_server; content:"User-Agent\: "; nocase;
content:"Bundle"; nocase; classtype: policy-violation; sid: 2001702;
rev:6;) 

Should we not use some type of offset or use pcre to make sure 'Bundle'
comes after User-Agent?
Maybe this should be looked at for all of the 'user-agent' strings?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity"; flow:
established,to_server; pcre:"/User-Agent\:.*Bundle/i"; classtype:
policy-violation; sid: 2001702; rev:7;) 

000 : 47 45 54 20 2F 77 65 62 61 70 70 73 2F 64 6F 77   GET /webapps/dow
010 : 6E 6C 6F 61 64 2F 41 75 74 6F 44 4C 3F 42 75 6E   nload/AutoDL?Bun
020 : 64 6C 65 49 64 3D 39 39 39 33 20 48 54 54 50 2F   dleId=9993 HTTP/
030 : 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A   1.1..Accept: */*
040 : 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E   ..Accept-Encodin
050 : 67 3A 20 69 64 65 6E 74 69 74 79 0D 0A 52 61 6E   g: identity..Ran
060 : 67 65 3A 20 62 79 74 65 73 3D 30 2D 34 38 37 31   ge: bytes=0-4871
070 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69   ..User-Agent: Mi
080 : 63 72 6F 73 6F 66 74 20 42 49 54 53 2F 36 2E 36   crosoft BITS/6.6
090 : 0D 0A 48 6F 73 74 3A 20 6A 64 6C 2E 73 75 6E 2E   ..Host: jdl.sun.
0a0 : 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A   com..Connection:
0b0 : 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A       Keep-Alive....



-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  [Snort-sigs] False positive Id=1:1113, Loriente Ara, Luis Antonio
Previous by Thread:  [Snort-sigs] change msg nortan to norton on sid 2485 (snort233b14), rmkml
Next by Thread:  [Snort-sigs] Re: Fp ON 2001702, Matt Jonkman
Indexes:  [Date] [Thread] [Top] [All Lists]