[Emerging-Sigs] Possible FP 2013437

Lay, James james.lay at wincofoods.com
Mon Oct 3 16:30:27 EDT 2011


From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Michael Scheidell
Sent: Monday, October 03, 2011 2:22 PM
To: emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] Possible FP 2013437
can you explain?  looks like amazon cloud to me.

NetRange:       72.21.192.0 - 72.21.223.255
CIDR:           72.21.192.0/19
OriginAS:
NetName:        AMAZON-02
NetHandle:      NET-72-21-192-0-1
Parent:         NET-72-0-0-0-0
NetType:        Direct Assignment
RegDate:        2004-12-30
Updated:        2004-12-30
Ref:            http://whois.arin.net/rest/net/NET-72-21-192-0-1



000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D   HTTP/1.1 200 OK.
010 : 0A 78 2D 61 6D 7A 2D 69 64 2D 32 3A 20 77 71 79   .x-amz-id-2: wqy




Hi Michael,


It is Amazon, however not an executable file...I believe that the sig is firing on the tag above ( or maybe the additional one further down).  This particular one was a PNG file:

150 : 0A 41 63 63 65 70 74 2D 52 61 6E 67 65 73 3A 20   .Accept-Ranges: 
160 : 62 79 74 65 73 0D 0A 43 6F 6E 74 65 6E 74 2D 54   bytes..Content-T
170 : 79 70 65 3A 20 69 6D 61 67 65 2F 70 6E 67 0D 0A   ype: image/png..
180 : 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20   Content-Length: 
190 : 31 38 35 35 39 34 0D 0A 53 65 72 76 65 72 3A 20   185594..Server: 
1a0 : 41 6D 61 7A 6F 6E 53 33 0D 0A 0D 0A 89 50 4E 47   AmazonS3.....PNG
1b0 : 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 01 F9   ........IHDR....
1c0 : 00 00 01 25 08 06 00 00 00 E7 4A 9B B0 00 00 00   ...%......J.....
1d0 : 19 74 45 58 74 53 6F 66 74 77 61 72 65 00 41 64   .tEXtSoftware.Ad

I have several pcaps which fire this rule, which contain no executable.  Hope that helps.

James


More information about the Emerging-sigs mailing list