[Emerging-Sigs] Heavy "False Positive" rate for 2013804 "ET CURRENT_EVENTS Possible Redirection to Unknown Exploit Pack" with Google Analytics

waldo kitty wkitty42 at windstream.net
Wed Oct 26 12:35:23 EDT 2011


On 10/26/2011 08:55, Matthew Jonkman wrote:
> Got it, moving off to deleted and disabled until we figure out more.

i was just getting ready to post about this one being too broad... i'm seeing 
the same thing as nathan and it is all with sites using google-analytics' 
javascripts... perhaps either negating GA or tying the rule to document.location 
or similar *redirections*... the snippet currently used is not specifically 
"redirection" oriented...

>
> Thanks for the report!
>
> Matt
>
>
> On Oct 26, 2011, at 8:50 AM, Nathan wrote:
>
>> This sig here lit up my sensors... there are a plethora of sites that are not
>> malicious that are triggering this signature.  I suspect it is not that
>> uncommon to see document.write(unescape("<script src='" +
>>
>> It's really lighting my stuff up, pretty much anything using Google Analytics:
>>
>>     <script type="text/javascript">
>>         var gaJsHost = (("https:" == document.location.protocol) ?
>> "https://ssl." : "http://www.");
>>         document.write(unescape("%3Cscript src='" + gaJsHost +
>> "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
>>     </script>
>>     <script type="text
>>
>> #Offending Signature
>> alert tcp $EXTERNAL_NET $HTTP_PORTS ->  $HOME_NET any (msg:"ET CURRENT_EVENTS
>> Possible Redirection to Unknown Exploit Pack"; flow:established,to_client;
>> content:"document.write|28|unescape|28 22|%3Cscript src=|27 22 20 2B 20|";
>> nocase;
>> reference:url,www.kahusecurity.com/2011/malware-infection-from-new-exploit-pack/;
>> classtype:misc-attack; sid:2013804; rev:2;)
>>
>> Thanks,
>> Nathan


More information about the Emerging-sigs mailing list