[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: RE: [Bleeding-sigs] FP for CoolDeskAlert/ Sig 2003463
From: "Michael Scheidell" <scheidell () secnap ! net>
Date: 2007-03-08 1:42:00
Message-ID: B3BCAF4246A8A84983A80DAB50FE7242863260 () secnap2 ! secnap ! com
[Download RAW message or body]
> -----Original Message-----
> From: bleeding-sigs-bounces@bleedingthreats.net
> [mailto:bleeding-sigs-bounces@bleedingthreats.net] On Behalf
> Of Matt Jonkman
> Sent: Wednesday, March 07, 2007 2:01 PM
> To: Bleeding Sigs
> Subject: Re: [Bleeding-sigs] FP for CoolDeskAlert/ Sig 2003463
>
>
> Had a discussion on irc, cunningpike brought this up too. I
> added a second content negation for it. Current version is here:
>
> http://doc.bleedingthreats.net/2003463
>
> I don't think there'll be a huge difference in load on either.
>
> Although, negating the host: toolbar.... might be more
> reliable. Anyone can use that UA string, but it'd be tough to
> use the google host string. Thoughts?
>
IF the google host string is consistent.
(and, yes, negating via UA is easy)
Just look at what is happening with some of these viruses, starting,
what was it, a month ago, 6:30 one Sunday am (eastern time) all of a
sudden we get morphing trojan-downloaders, all off a few bytes.
However, real hackers (crackers?) don't really need to care about the
small, (infitnsimally small) number of companies that can actually track
them, I don't think they really care about snort/bleeding edge rules.
They can cause enough havoc with the people who won't even patch their
systems, let alone those who actually monitor them.
--
Michael Scheidell, CTO
SECNAP Network Security
Privacy and Security Training: (ok, we do a lot more than that)
http://www.secnap.com/training
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic