[Emerging-Sigs] Heavy "False Positive" rate for 2013804 "ET CURRENT_EVENTS Possible Redirection to Unknown Exploit Pack" with Google Analytics

Martin Holste mcholste at gmail.com
Wed Oct 26 12:53:23 EDT 2011


+1 for deleted.  Way too many legit uses of that code.

On Wed, Oct 26, 2011 at 11:35 AM, waldo kitty <wkitty42 at windstream.net> wrote:
> On 10/26/2011 08:55, Matthew Jonkman wrote:
>> Got it, moving off to deleted and disabled until we figure out more.
>
> i was just getting ready to post about this one being too broad... i'm seeing
> the same thing as nathan and it is all with sites using google-analytics'
> javascripts... perhaps either negating GA or tying the rule to document.location
> or similar *redirections*... the snippet currently used is not specifically
> "redirection" oriented...
>
>>
>> Thanks for the report!
>>
>> Matt
>>
>>
>> On Oct 26, 2011, at 8:50 AM, Nathan wrote:
>>
>>> This sig here lit up my sensors... there are a plethora of sites that are not
>>> malicious that are triggering this signature.  I suspect it is not that
>>> uncommon to see document.write(unescape("<script src='" +
>>>
>>> It's really lighting my stuff up, pretty much anything using Google Analytics:
>>>
>>>     <script type="text/javascript">
>>>         var gaJsHost = (("https:" == document.location.protocol) ?
>>> "https://ssl." : "http://www.");
>>>         document.write(unescape("%3Cscript src='" + gaJsHost +
>>> "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
>>>     </script>
>>>     <script type="text
>>>
>>> #Offending Signature
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS ->  $HOME_NET any (msg:"ET CURRENT_EVENTS
>>> Possible Redirection to Unknown Exploit Pack"; flow:established,to_client;
>>> content:"document.write|28|unescape|28 22|%3Cscript src=|27 22 20 2B 20|";
>>> nocase;
>>> reference:url,www.kahusecurity.com/2011/malware-infection-from-new-exploit-pack/;
>>> classtype:misc-attack; sid:2013804; rev:2;)
>>>
>>> Thanks,
>>> Nathan
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>


More information about the Emerging-sigs mailing list