[Dshield] ISCAlert triggering Snort alerts

Tom Liston tliston at premmag.com
Wed Aug 10 18:36:02 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Castle, Shane wrote:
> My ISCAlert in the systray has started triggering Snort (bleeding-snort)
> alerts.  Here is a synopsis:
> 
> Generated by BASE v1.1.2 (zora) on Wed, 10 Aug 2005 09:26:42 -0600
> 
> ------------------------------------------------------------------------
> ------
> #(1 - 977224) [2005-08-10 09:10:52]
> [url/securityresponse.symantec.com/avcenter/venc/data/vbs.postcard at mm.ht
> ml]
>  [snort/2001921]  BLEEDING-EDGE VIRUS - Greeting card gif.exe email
> incoming HTTP
> IPv4: 65.173.218.98 -> 192.168.3.250
>       hlen=5 TOS=0 dlen=1329 ID=55156 flags=0 offset=0 TTL=115
> chksum=19104
> TCP:  port=80 -> dport: 1286  flags=***AP*** seq=1611421800
>       ack=1445276535 off=5 res=0 win=5840 urp=0 chksum=62777
> Payload:  length = 1289
> ------------------------------------------------------------------------
> ------
> 
> I have the gory details of the rest of it.  I know why the alert is
> being
> triggered: the string 'postcard.gif.exe' occurs in the HTML.  What I
> don't
> understand is why this HTML page is being requested/sent at all.

In order to keep track of the InfoCon, ISCAlert reads an RSS/XML feed
from the ISC.  It does this every 15 minutes so that it can alert you in
the event that the InfoCon changes.

I believe that the URL used is:

http://isc.sans.org/rssfeed.xml

Regards,

- -TL
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFC+kkSo6r9fhzAJkoRAyDcAKC9Nkllm6v939BTl5iE5CSHd/ClIACg2aL+
YyEphFZzw5h+szDIRAHcBOg=
=c4MK
-----END PGP SIGNATURE-----


More information about the list mailing list