[Emerging-Sigs] Possible FP 2013437

rmkml rmkml at free.fr
Mon Oct 3 17:24:18 EDT 2011


Hi James,
For reduce FP, can you test by adding within like this:
  alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICYExecutable served from Amazon S3"; flow:established,to_client;
content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ"; within:2; distance:0; isdataat:80,relative; content:"PE"; distance:0;...
but need last snort v291. (and default config paf_max: 16384)
Regards
Rmkml


On Mon, 3 Oct 2011, Lay, James wrote:

> From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Michael Scheidell
> Sent: Monday, October 03, 2011 2:22 PM
> To: emerging-sigs at emergingthreats.net
> Subject: Re: [Emerging-Sigs] Possible FP 2013437
> can you explain?  looks like amazon cloud to me.
>
> NetRange:       72.21.192.0 - 72.21.223.255
> CIDR:           72.21.192.0/19
> OriginAS:
> NetName:        AMAZON-02
> NetHandle:      NET-72-21-192-0-1
> Parent:         NET-72-0-0-0-0
> NetType:        Direct Assignment
> RegDate:        2004-12-30
> Updated:        2004-12-30
> Ref:            http://whois.arin.net/rest/net/NET-72-21-192-0-1
>
>
>
> 000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D   HTTP/1.1 200 OK.
> 010 : 0A 78 2D 61 6D 7A 2D 69 64 2D 32 3A 20 77 71 79   .x-amz-id-2: wqy
>
>
>
>
> Hi Michael,
>
>
> It is Amazon, however not an executable file...I believe that the sig is firing on the tag above ( or maybe the additional one further down).  This particular one was a PNG file:
>
> 150 : 0A 41 63 63 65 70 74 2D 52 61 6E 67 65 73 3A 20   .Accept-Ranges:
> 160 : 62 79 74 65 73 0D 0A 43 6F 6E 74 65 6E 74 2D 54   bytes..Content-T
> 170 : 79 70 65 3A 20 69 6D 61 67 65 2F 70 6E 67 0D 0A   ype: image/png..
> 180 : 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20   Content-Length:
> 190 : 31 38 35 35 39 34 0D 0A 53 65 72 76 65 72 3A 20   185594..Server:
> 1a0 : 41 6D 61 7A 6F 6E 53 33 0D 0A 0D 0A 89 50 4E 47   AmazonS3.....PNG
> 1b0 : 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 01 F9   ........IHDR....
> 1c0 : 00 00 01 25 08 06 00 00 00 E7 4A 9B B0 00 00 00   ...%......J.....
> 1d0 : 19 74 45 58 74 53 6F 66 74 77 61 72 65 00 41 64   .tEXtSoftware.Ad
>
> I have several pcaps which fire this rule, which contain no executable.  Hope that helps.
>
> James


More information about the Emerging-sigs mailing list