[Emerging-Sigs] SID 2013017 False Positive

Matthew Clairmont (R* NYC) Matthew.Clairmont at rockstargames.com
Wed Apr 10 06:01:25 HDT 2019


We've had this signature fire a few times for daily update checks related to a mobile benchmarking software. It looks like it's an easy exclusion through content:!"update.aida64.com". I do have a PCAP available if it's needed.

SRC: GET /gatheraddr/?str=399c7e5015c9254aef7938afc20f93f27e6ba893 HTTP/1.1
SRC: User-Agent: x
SRC: Host: update.aida64.com
SRC: Cache-Control: no-cache
DST: HTTP/1.1 200 OK
DST: X-Powered-By: PHP/5.6.29-0+deb8u1
DST: Content-type: text/html; charset=UTF-8
DST: Transfer-Encoding: chunked
DST: Date: Wed, 10 Apr 2019 08:01:41 GMT
DST: Server: lighttpd/1.4.35

Please let me know if you need any further information.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190410/2196f323/attachment.html>

More information about the Emerging-sigs mailing list