'Re: [Emerging-Sigs] false positive from NASA Realtime Satellite Tracking'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    Re: [Emerging-Sigs] false positive from NASA Realtime Satellite Tracking
From:       Will Metcalf <william.metcalf () gmail ! com>
Date:       2016-08-22 12:29:33
Message-ID: CAO0nrJZKOn28_KPaKvSNb9SxXEMt+-VFQ0KveSe5XDkZ_J0Zxg () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

Probably the easiest thing is to set a flowbit matching on anything in .
nasa.gov and then check and make sure that flowbit is not set.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  (msg:"ET INFO Nasa
SiteFlowbit Set"; flow:established,to_server; content:".nasa.gov";
http_header; nocase; fast_pattern:only;
pcre:"/^Host\x3a[^\r\n]*\.nasa\.gov(?:\x3a\d{1,5})?\r?$/Hmi";
 flowbits:set,ET.Nasa.Site; flowbits:noalert; classtype:misc-activity;
sid:3000000; rev:2;)

Then add the following to those rules.

flowbits:isnotset,ET.Nasa.Site;

guessing you are probably using snort instead of suri otherwise I would say
you could use a pass rule as they act a bit differently in snort and suri
i.e suri would pass the rest of the tcp flow..... at least the last time I
checked :).

Regards,

Will

On Sat, Aug 20, 2016 at 9:01 AM, <wkitty42@windstream.net> wrote:

>
> i'm seeing the following rules being triggered from
>
>   http://spaceflight1.nasa.gov/realdata/tracking/index.html
>
> but i'm not sure the best way to allow this site as the java stuff seems
> to be being pulled from multiple IPs on AWS...
>
>
> Rule ID:        1:2016540:2 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by
> Java UA with non JAR EXT matches various EKs
> Date:   08/20 09:37:57  Priority:       2       Class Type:
>  Potentially Bad Traffic
> IP info:        54.243.106.158:80 -> 75.89.xxx.223:59296
> References:     none found
>
> Rule ID:        1:2014472:5 - ET INFO JAVA - Java Archive Download
> Date:   08/20 09:37:57  Priority:       1       Class Type:     A Network
> Trojan was detected
> IP info:        54.243.106.158:80 -> 75.89.xxx.223:59296
> References:     none found
>
> Rule ID:        1:27816:9 - EXPLOIT-KIT Multiple exploit kit jar file
> download attempt
> Date:   08/20 09:37:57  Priority:       1       Class Type:     A Network
> Trojan was detected
> IP info:        54.243.106.158:80 -> 75.89.xxx.223:59296
> References:     none found
>
>
> --
>  NOTE: No off-list assistance is given without prior approval.
>        *Please keep mailing list traffic on the list* unless
>        private contact is specifically requested and granted.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>

[Attachment #5 (text/html)]

<div dir="ltr">Probably the easiest thing is to set a flowbit matching on anything in \
.<a href="http://nasa.gov">nasa.gov</a> and then check and make sure that flowbit is \
not set.<div><br></div><div><div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET \
$HTTP_PORTS   (msg:&quot;ET INFO Nasa SiteFlowbit Set&quot;; \
flow:established,to_server; content:&quot;.<a \
href="http://nasa.gov">nasa.gov</a>&quot;; http_header; nocase; fast_pattern:only; \
pcre:&quot;/^Host\x3a[^\r\n]*\.nasa\.gov(?:\x3a\d{1,5})?\r?$/Hmi&quot;;   \
flowbits:set,ET.Nasa.Site; flowbits:noalert; classtype:misc-activity; sid:3000000; \
rev:2;)<br></div><div><br></div><div>Then add the following to those \
rules.</div><div><br></div><div>flowbits:isnotset,ET.Nasa.Site;<br></div><div><br></div><div>guessing \
you are probably using snort instead of suri otherwise I would say you could use a \
pass rule as they act a bit differently in snort and suri i.e suri would pass the \
rest of the tcp flow..... at least the last time I checked \
:).</div><div><br></div><div>Regards,</div><div><br></div><div>Will</div></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Sat, Aug 20, 2016 at 9:01 AM,  \
<span dir="ltr">&lt;<a href="mailto:wkitty42@windstream.net" \
target="_blank">wkitty42@windstream.net</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><br> i&#39;m seeing the following rules being triggered \
from<br> <br>
   <a href="http://spaceflight1.nasa.gov/realdata/tracking/index.html" \
rel="noreferrer" target="_blank">http://spaceflight1.nasa.gov/r<wbr>ealdata/tracking/index.html</a><br>
 <br>
but i&#39;m not sure the best way to allow this site as the java stuff seems to be \
being pulled from multiple IPs on AWS...<br> <br>
<br>
Rule ID:            1:2016540:2 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java \
                UA with non JAR EXT matches various EKs<br>
Date:     08/20 09:37:57   Priority:           2           Class Type:        \
Potentially Bad Traffic<br> IP info:            <a href="http://54.243.106.158:80" \
rel="noreferrer" target="_blank">54.243.106.158:80</a> -&gt; 75.89.xxx.223:59296      \
References:        none found<br> <br>
Rule ID:            1:2014472:5 - ET INFO JAVA - Java Archive Download<br>
Date:     08/20 09:37:57   Priority:           1           Class Type:        A \
Network Trojan was detected<br> IP info:            <a \
href="http://54.243.106.158:80" rel="noreferrer" \
target="_blank">54.243.106.158:80</a> -&gt; 75.89.xxx.223:59296            \
References:        none found<br> <br>
Rule ID:            1:27816:9 - EXPLOIT-KIT Multiple exploit kit jar file download \
                attempt<br>
Date:     08/20 09:37:57   Priority:           1           Class Type:        A \
Network Trojan was detected<br> IP info:            <a \
href="http://54.243.106.158:80" rel="noreferrer" \
target="_blank">54.243.106.158:80</a> -&gt; 75.89.xxx.223:59296            \
References:        none found<span class="HOEnZb"><font color="#888888"><br> <br>
<br>
-- <br>
  NOTE: No off-list assistance is given without prior approval.<br>
           *Please keep mailing list traffic on the list* unless<br>
           private contact is specifically requested and granted.<br>
______________________________<wbr>_________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" \
target="_blank">Emerging-sigs@lists.emergingth<wbr>reats.net</a><br> <a \
href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
rel="noreferrer" target="_blank">https://lists.emergingthreats.<wbr>net/mailman/listinfo/emerging-<wbr>sigs</a><br>
 <br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" rel="noreferrer" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
</font></span></blockquote></div><br></div>

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

[prev in list] [next in list] [prev in thread] [next in thread] 