[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] AnubisNetworks sinkhole for "invalid[.]cab"
From: Darien Huss <dhuss () emergingthreats ! net>
Date: 2015-04-10 13:32:59
Message-ID: CAKcCgkUopZnM8qhF6AdNTLi7tpFxvFMVxxHE+sxnB3cg=RAEKg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks everyone, we'll have something out for this today similar to what
Jake Warren suggested!
Regards,
Darien
On Thu, Apr 9, 2015 at 5:51 PM, Tony Maszeroski <tony@craigslist.org> wrote:
> On 4/9/15 11:50, Andrea De Pasquale wrote:
> > On Thu, Apr 9, 2015 at 8:28 PM, Jake Warren <jake.warren@masergy.com>
> wrote:
> >> I don't think you can negate it directly since the domain is not
> reflected
> >> in the cert. The only way I can come up with negate this temporarily is
> by
> >> looking for invalid.cab in the SNI server name and using flowbits to
> prevent
> >> alerting.
> >
> >
> > Jake,
> > you are right. Forgive me, evening here. :-)
> >
>
> I have verified in a clean VM that this alert is getting triggered due
> to the installation of KB3035583 - The "Windows 10 Upgrade / nagware"
> patch.
>
> -tony
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
[Attachment #5 (text/html)]
<div dir="ltr"><div><div>Thanks everyone, we'll have something out for this today \
similar to what Jake Warren \
suggested!<br><br></div>Regards,<br></div>Darien<br></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 9, 2015 at 5:51 PM, Tony \
Maszeroski <span dir="ltr"><<a href="mailto:tony@craigslist.org" \
target="_blank">tony@craigslist.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class="">On 4/9/15 11:50, Andrea De Pasquale wrote:<br> \
> On Thu, Apr 9, 2015 at 8:28 PM, Jake Warren <<a \
href="mailto:jake.warren@masergy.com">jake.warren@masergy.com</a>> wrote:<br> \
>> I don't think you can negate it directly since the domain is not \
reflected<br> >> in the cert. The only way I can come up with negate this \
temporarily is by<br> >> looking for invalid.cab in the SNI server name and \
using flowbits to prevent<br> >> alerting.<br>
><br>
><br>
> Jake,<br>
> you are right. Forgive me, evening here. :-)<br>
><br>
<br>
</span>I have verified in a clean VM that this alert is getting triggered due<br>
to the installation of KB3035583 - The "Windows 10 Upgrade / nagware" \
patch.<br> <span class="HOEnZb"><font color="#888888"><br>
-tony<br>
</font></span><div class="HOEnZb"><div \
class="h5">_______________________________________________<br> Emerging-sigs mailing \
list<br> <a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
</div></div></blockquote></div><br></div>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic