Friday, May 4

I believe this pcap to be bad.


Alerts (2.9.2.2, dump-1.pcap)
1:18275:9 FILE-IDENTIFY HyperText Markup Language file download request Alerts: 1
1:16425:15 FILE-IDENTIFY Portable Executable binary file download request Alerts: 3
1:21860:1 SPECIFIC-THREATS Phoenix exploit kit post-compromise behavior Alerts: 4
1:21042:4 BLACKLIST URI possible Blackhole post-compromise download attempt - .php?f= Alerts: 1
1:21492:12 SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch Alerts: 3
1:21347:3 BLACKLIST URI possible Blackhole URL - .php?page= Alerts: 1
1:13245:2 BACKDOOR troya 1.4 runtime detection - init connection Alerts: 2
1:21646:6 SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch Alerts: 2
1:11192:12 FILE-IDENTIFY download of executable content Alerts: 2
120:8:1 (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE Alerts: 1
1:20494:6 FILE-IDENTIFY PDF file magic detected Alerts: 1
1:21583:4 FILE-PDF Possible malicious pdf detection - qwe123 Alerts: 1
1:21556:3 POLICY-OTHER Microsoft Windows 98 User-Agent string Alerts: 4
1:648:12 SHELLCODE x86 NOOP Alerts: 3
1:21548:1 BOTNET-CNC Cutwail landing page connection attempt Alerts: 1
1:15306:16 FILE-IDENTIFY Portable Executable binary file magic detected Alerts: 2
1:21418:1 BOTNET-CNC Trojan.FareIt outbound connection Alerts: 1
1:22041:2 SPECIFIC-THREATS Blackhole landing redirection page Alerts: 1


I could be wrong. Don't think I am.


Please leave comments below.

No comments: