[Emerging-Sigs] FP sid:2023681

James Emery-Callcott jcallcott at emergingthreats.net
Wed Jan 31 08:09:56 HST 2018


Hi John,

Thanks for sending this in.
We'll take a look and push a fix to QA asap.

Thanks,
James.

On Wed, Jan 31, 2018 at 11:31 AM, Attack Detection <
attackdetectionteam at gmail.com> wrote:

> Hi, false triggering occurs if a key "&lm=..." is present, and referral
> (&r=...) will be a http url with the keyword "text" for path "search", as
> for this traffic and monetization platform uri example :
>
> http://ic.tynt.com/b/p?id=aGzWVEVo8r4ldEadbi-bpO&lm=0&
> ts=1517376386238&dn=TI&iso=0&img=uuuuu&ct=zzzz&r=https://
> yandex.ru/search/?text=xxxxx&clid=2270455&banerid=6302000000:
> 57f39a32d09ae4001602c224&win=249&t=yyyyy
>
> Rule fragment:
> content:"lm="; http_uri;
> content:"/search/?"; fast_pattern:only; http_uri;
> pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U";
>
> Best regards, John.
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>


-- 
*James Emery-Callcott*
Security Researcher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180131/6f3bf61e/attachment.html>


More information about the Emerging-sigs mailing list