[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] false positive from NASA Realtime Satellite Tracking
From: Will Metcalf <william.metcalf () gmail ! com>
Date: 2016-08-22 12:29:33
Message-ID: CAO0nrJZKOn28_KPaKvSNb9SxXEMt+-VFQ0KveSe5XDkZ_J0Zxg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Probably the easiest thing is to set a flowbit matching on anything in .
nasa.gov and then check and make sure that flowbit is not set.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Nasa
SiteFlowbit Set"; flow:established,to_server; content:".nasa.gov";
http_header; nocase; fast_pattern:only;
pcre:"/^Host\x3a[^\r\n]*\.nasa\.gov(?:\x3a\d{1,5})?\r?$/Hmi";
flowbits:set,ET.Nasa.Site; flowbits:noalert; classtype:misc-activity;
sid:3000000; rev:2;)
Then add the following to those rules.
flowbits:isnotset,ET.Nasa.Site;
guessing you are probably using snort instead of suri otherwise I would say
you could use a pass rule as they act a bit differently in snort and suri
i.e suri would pass the rest of the tcp flow..... at least the last time I
checked :).
Regards,
Will
On Sat, Aug 20, 2016 at 9:01 AM, <wkitty42@windstream.net> wrote:
>
> i'm seeing the following rules being triggered from
>
> http://spaceflight1.nasa.gov/realdata/tracking/index.html
>
> but i'm not sure the best way to allow this site as the java stuff seems
> to be being pulled from multiple IPs on AWS...
>
>
> Rule ID: 1:2016540:2 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by
> Java UA with non JAR EXT matches various EKs
> Date: 08/20 09:37:57 Priority: 2 Class Type:
> Potentially Bad Traffic
> IP info: 54.243.106.158:80 -> 75.89.xxx.223:59296
> References: none found
>
> Rule ID: 1:2014472:5 - ET INFO JAVA - Java Archive Download
> Date: 08/20 09:37:57 Priority: 1 Class Type: A Network
> Trojan was detected
> IP info: 54.243.106.158:80 -> 75.89.xxx.223:59296
> References: none found
>
> Rule ID: 1:27816:9 - EXPLOIT-KIT Multiple exploit kit jar file
> download attempt
> Date: 08/20 09:37:57 Priority: 1 Class Type: A Network
> Trojan was detected
> IP info: 54.243.106.158:80 -> 75.89.xxx.223:59296
> References: none found
>
>
> --
> NOTE: No off-list assistance is given without prior approval.
> *Please keep mailing list traffic on the list* unless
> private contact is specifically requested and granted.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Probably the easiest thing is to set a flowbit matching on anything in \
.<a href="http://nasa.gov">nasa.gov</a> and then check and make sure that flowbit is \
not set.<div><br></div><div><div>alert tcp $HOME_NET any -> $EXTERNAL_NET \
$HTTP_PORTS (msg:"ET INFO Nasa SiteFlowbit Set"; \
flow:established,to_server; content:".<a \
href="http://nasa.gov">nasa.gov</a>"; http_header; nocase; fast_pattern:only; \
pcre:"/^Host\x3a[^\r\n]*\.nasa\.gov(?:\x3a\d{1,5})?\r?$/Hmi"; \
flowbits:set,ET.Nasa.Site; flowbits:noalert; classtype:misc-activity; sid:3000000; \
rev:2;)<br></div><div><br></div><div>Then add the following to those \
rules.</div><div><br></div><div>flowbits:isnotset,ET.Nasa.Site;<br></div><div><br></div><div>guessing \
you are probably using snort instead of suri otherwise I would say you could use a \
pass rule as they act a bit differently in snort and suri i.e suri would pass the \
rest of the tcp flow..... at least the last time I checked \
:).</div><div><br></div><div>Regards,</div><div><br></div><div>Will</div></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Sat, Aug 20, 2016 at 9:01 AM, \
<span dir="ltr"><<a href="mailto:wkitty42@windstream.net" \
target="_blank">wkitty42@windstream.net</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><br> i'm seeing the following rules being triggered \
from<br> <br>
<a href="http://spaceflight1.nasa.gov/realdata/tracking/index.html" \
rel="noreferrer" target="_blank">http://spaceflight1.nasa.gov/r<wbr>ealdata/tracking/index.html</a><br>
<br>
but i'm not sure the best way to allow this site as the java stuff seems to be \
being pulled from multiple IPs on AWS...<br> <br>
<br>
Rule ID: 1:2016540:2 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java \
UA with non JAR EXT matches various EKs<br>
Date: 08/20 09:37:57 Priority: 2 Class Type: \
Potentially Bad Traffic<br> IP info: <a href="http://54.243.106.158:80" \
rel="noreferrer" target="_blank">54.243.106.158:80</a> -> 75.89.xxx.223:59296 \
References: none found<br> <br>
Rule ID: 1:2014472:5 - ET INFO JAVA - Java Archive Download<br>
Date: 08/20 09:37:57 Priority: 1 Class Type: A \
Network Trojan was detected<br> IP info: <a \
href="http://54.243.106.158:80" rel="noreferrer" \
target="_blank">54.243.106.158:80</a> -> 75.89.xxx.223:59296 \
References: none found<br> <br>
Rule ID: 1:27816:9 - EXPLOIT-KIT Multiple exploit kit jar file download \
attempt<br>
Date: 08/20 09:37:57 Priority: 1 Class Type: A \
Network Trojan was detected<br> IP info: <a \
href="http://54.243.106.158:80" rel="noreferrer" \
target="_blank">54.243.106.158:80</a> -> 75.89.xxx.223:59296 \
References: none found<span class="HOEnZb"><font color="#888888"><br> <br>
<br>
-- <br>
NOTE: No off-list assistance is given without prior approval.<br>
*Please keep mailing list traffic on the list* unless<br>
private contact is specifically requested and granted.<br>
______________________________<wbr>_________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" \
target="_blank">Emerging-sigs@lists.emergingth<wbr>reats.net</a><br> <a \
href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
rel="noreferrer" target="_blank">https://lists.emergingthreats.<wbr>net/mailman/listinfo/emerging-<wbr>sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" rel="noreferrer" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
</font></span></blockquote></div><br></div>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic