[Emerging-Sigs] Heavy "False Positive" rate for 2013804 "ET CURRENT_EVENTS Possible Redirection to Unknown Exploit Pack" with Google Analytics
mcholste at gmail.com
Wed Oct 26 12:53:23 EDT 2011
+1 for deleted. Way too many legit uses of that code.
On Wed, Oct 26, 2011 at 11:35 AM, waldo kitty <wkitty42 at windstream.net> wrote:
> On 10/26/2011 08:55, Matthew Jonkman wrote:
>> Got it, moving off to deleted and disabled until we figure out more.
> i was just getting ready to post about this one being too broad... i'm seeing
> the same thing as nathan and it is all with sites using google-analytics'
> or similar *redirections*... the snippet currently used is not specifically
> "redirection" oriented...
>> Thanks for the report!
>> On Oct 26, 2011, at 8:50 AM, Nathan wrote:
>>> This sig here lit up my sensors... there are a plethora of sites that are not
>>> malicious that are triggering this signature. I suspect it is not that
>>> uncommon to see document.write(unescape("<script src='" +
>>> It's really lighting my stuff up, pretty much anything using Google Analytics:
>>> var gaJsHost = (("https:" == document.location.protocol) ?
>>> "https://ssl." : "http://www.");
>>> document.write(unescape("%3Cscript src='" + gaJsHost +
>>> <script type="text
>>> #Offending Signature
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS
>>> Possible Redirection to Unknown Exploit Pack"; flow:established,to_client;
>>> content:"document.write|28|unescape|28 22|%3Cscript src=|27 22 20 2B 20|";
>>> classtype:misc-attack; sid:2013804; rev:2;)
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
More information about the Emerging-sigs