[Emerging-Sigs] FP sid:2023681

Attack Detection attackdetectionteam at gmail.com
Wed Jan 31 01:31:02 HST 2018


Hi, false triggering occurs if a key "&lm=..." is present, and referral
(&r=...) will be a http url with the keyword "text" for path "search", as
for this traffic and monetization platform uri example :

http://ic.tynt.com/b/p?id=aGzWVEVo8r4ldEadbi-bpO&lm=0&ts=1517376386238&dn=TI&iso=0&img=uuuuu&ct=zzzz&r=https://yandex.ru/search/?text=xxxxx&clid=2270455&banerid=6302000000:57f39a32d09ae4001602c224&win=249&t=yyyyy

Rule fragment:
content:"lm="; http_uri;
content:"/search/?"; fast_pattern:only; http_uri;
pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U";

Best regards, John.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180131/0d33a444/attachment.html>


More information about the Emerging-sigs mailing list