[Emerging-Sigs] Heavy "False Positive" rate for 2013804 "ET CURRENT_EVENTS Possible Redirection to Unknown Exploit Pack" with Google Analytics

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 26 08:55:11 EDT 2011


Got it, moving off to deleted and disabled until we figure out more.

Thanks for the report!

Matt


On Oct 26, 2011, at 8:50 AM, Nathan wrote:

> This sig here lit up my sensors... there are a plethora of sites that are not
> malicious that are triggering this signature.  I suspect it is not that
> uncommon to see document.write(unescape("<script src='" +
> 
> It's really lighting my stuff up, pretty much anything using Google Analytics:
> 
>    <script type="text/javascript">
>        var gaJsHost = (("https:" == document.location.protocol) ?
> "https://ssl." : "http://www.");
>        document.write(unescape("%3Cscript src='" + gaJsHost +
> "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
>    </script>
>    <script type="text
> 
> #Offending Signature
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> Possible Redirection to Unknown Exploit Pack"; flow:established,to_client;
> content:"document.write|28|unescape|28 22|%3Cscript src=|27 22 20 2B 20|";
> nocase;
> reference:url,www.kahusecurity.com/2011/malware-infection-from-new-exploit-pack/;
> classtype:misc-attack; sid:2013804; rev:2;)
> 
> Thanks,
> Nathan
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list