[Emerging-Sigs] Heavy "False Positive" rate for 2013804 "ET CURRENT_EVENTS Possible Redirection to Unknown Exploit Pack" with Google Analytics

Nathan nathan at packetmail.net
Wed Oct 26 08:50:11 EDT 2011


This sig here lit up my sensors... there are a plethora of sites that are not
malicious that are triggering this signature.  I suspect it is not that
uncommon to see document.write(unescape("<script src='" +

It's really lighting my stuff up, pretty much anything using Google Analytics:

    <script type="text/javascript">
        var gaJsHost = (("https:" == document.location.protocol) ?
"https://ssl." : "http://www.");
        document.write(unescape("%3Cscript src='" + gaJsHost +
"google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
    </script>
    <script type="text

#Offending Signature
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS
Possible Redirection to Unknown Exploit Pack"; flow:established,to_client;
content:"document.write|28|unescape|28 22|%3Cscript src=|27 22 20 2B 20|";
nocase;
reference:url,www.kahusecurity.com/2011/malware-infection-from-new-exploit-pack/;
classtype:misc-attack; sid:2013804; rev:2;)

Thanks,
Nathan



More information about the Emerging-sigs mailing list