[Emerging-Sigs] Falsies - 2015525

Ryan Moon ryan.c.moon at gmail.com
Fri Nov 23 06:42:03 HAST 2012


Morning everyone,

I am getting some falsies on 2015525 in the past few days from
apple.com, microsoft.com, hp.com, weather.com, cnn.com.. looks like
Akamai changed something in their javascript includes and it's now
setting off this rule a good bit for me.

Specifically ( search for 'try{eval' ):

15:36:06.190348 IP 97.67.101.75.80 > 1.2.3.4.4678: .
222510:223910(1400) ack 957 win 8372
E...r. at .:...aCeK
N...P.F...Y.g..P. .....unction(obj){var
i=this.length;while(i--){if(this[i]===obj){return true;}}return
false;};var prvLastObject=null;function prvReturnLastObject(){return
prvLastObject;}function
publicInitialize(initObject,mapObject,vendorObject){var
io=_w._jsmdDefaultMetadataDictionaryTemplate||prvDefaultMetadataDictionaryTemplate,mo=_w._jsmdDefaultVendorMapTemplate||prvDefaultVendorMapTemplate,vo=_w._jsmdDefaultVendorSpecificTemplate||prvDefaultVendorSpecificTemplate;io=(!initObject?io:initObject);mo=(!mapObject?mo:mapObject);vo=(!vendorObject?vo:vendorObject);prvLastObject=new
CAnalyticsObject(io,mo,vo);return
prvLastObject;}_w.JSON=_w.JSON||{stringify:function(a){var c=typeof
a;if(c!="object"||a===null){if(c=="string"){a='"'+a+'"';}return
String(a);}else{var d,b,f=[],e=a&&a.constructor==Array;for(d in
a){b=a[d];c=typeof
b;if(c=="string"){b='"'+b+'"';}else{if(c=="object"&&b!==null){b=JSON.stringify(b);}}f.push((e?"":'"'+d+'":')+String(b));}return(e?"[":"{")+String(f)+(e?"]":"}");}},parse:function(a){var
p=null;if(a===""){a='""';}try{eval("p="+a+";");}catch(err){}return
p;}};return{init:publicInitialize,JSMD:CAnalyticsObject,plugin:pubDefaultMetadataUtilities,last:prvReturnLastObject};}();function
trackMetrics(action,data,mapObj,loaderFunction){var
realaction=action,realdata=data,realmap=mapObj,realload=loaderFunction;if(typeof(action)=="object"){if(action.type!=null){realaction=action.type;}if(a


I think we can expire the rule since it dates back to July. I do not
have a sample on hand from when it was created to easily modify it.

@Will/Chris : if you want a pcap to discuss this rule, I have one.

Thanks,

-RM


More information about the Emerging-sigs mailing list