Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] Fp ON 2001702

from [Matt Jonkman] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] Fp ON 2001702
Date: Thu, 14 Jul 2005 09:12:10 -0500 
I think pcre is very appropriate here. I'll make the change and post.
Give me about 2 minutes.

Thanks Michael!

Matt

Michael Scheidell wrote:

Seems if you have sun java engine on your windows XP engine and attempt
to update it, you trigger the 2001702 signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity"; flow:
established,to_server; content:"User-Agent\: "; nocase;
content:"Bundle"; nocase; classtype: policy-violation; sid: 2001702;
rev:6;) 

Should we not use some type of offset or use pcre to make sure 'Bundle'
comes after User-Agent?
Maybe this should be looked at for all of the 'user-agent' strings?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity"; flow:
established,to_server; pcre:"/User-Agent\:.*Bundle/i"; classtype:
policy-violation; sid: 2001702; rev:7;) 

000 : 47 45 54 20 2F 77 65 62 61 70 70 73 2F 64 6F 77   GET /webapps/dow
010 : 6E 6C 6F 61 64 2F 41 75 74 6F 44 4C 3F 42 75 6E   nload/AutoDL?Bun
020 : 64 6C 65 49 64 3D 39 39 39 33 20 48 54 54 50 2F   dleId=9993 HTTP/
030 : 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A   1.1..Accept: */*
040 : 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E   ..Accept-Encodin
050 : 67 3A 20 69 64 65 6E 74 69 74 79 0D 0A 52 61 6E   g: identity..Ran
060 : 67 65 3A 20 62 79 74 65 73 3D 30 2D 34 38 37 31   ge: bytes=0-4871
070 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69   ..User-Agent: Mi
080 : 63 72 6F 73 6F 66 74 20 42 49 54 53 2F 36 2E 36   crosoft BITS/6.6
090 : 0D 0A 48 6F 73 74 3A 20 6A 64 6C 2E 73 75 6E 2E   ..Host: jdl.sun.
0a0 : 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A   com..Connection:
0b0 : 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A       Keep-Alive....



-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.


-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] 1:2515 false positive, giulio . martinat
Next by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Previous by Thread:  [Snort-sigs] Re: Fp ON 2001702, Frank Knobbe
Next by Thread:  [Snort-sigs] False positive Id=1:1113, Loriente Ara, Luis Antonio
Indexes:  [Date] [Thread] [Top] [All Lists]