[Emerging-Sigs] FP: ET CURRENT_EVENTS MALVERTISING trafficbiztds.com - client receiving redirect to exploit kit : 2011469

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 24 11:58:36 EDT 2011


Good catch, thanks Russell!

Fixing that up, and also http_*'ing it as well.

Matt

On Oct 23, 2011, at 3:48 AM, Russell Fulton wrote:

> likely FP.  I notice the rule has content:!"http|3a|//www.google.com".  this might be inadequate -- I've got hits on just google.com:
> 
> HTTP/1.1 302 Found
> Server: nginx/0.7.62
> Date: Sat, 22 Oct 2011 09:09:17 GMT
> Content-Type: text/html
> Connection: close
> Set-Cookie: SL_2_0000=_0_; domain=trafficbiztds.com; path=/; expires=Sun, 23-Oct-2011 09:09:17 GMT
> Location: http://google.com/robots.txt
> Content-Length: 184
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list