alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Revoked Adobe Code Signing Certificate Seen"; flow:established,to_client; content:"|30 82|"; content:"|a0 03 02 01 02 02 10 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00|"; distance:6; within:38; content:"|1e 17 0d|101215000000Z|17 0d|121214235959Z0"; distance:184; within:32; content:"Adobe Systems Incorporated"; distance:66; within:26; reference:url,www.adobe.com/support/security/advisories/apsa12-01.html; classtype:policy-violation; sid:2015743; rev:2;)

Added 2014-09-19 17:22:44 UTC

False Positive for 184.107.107.195 - http://worldoffinalfantasy.square-enix.com/us/ on 11/10/2016

-- JimMcKibben - 2016-11-16

Hi Jim, this is a pretty specific signature so I am going to guess that it was a TP that you're seeing. This is an INFO sig so does not necessarily mean there is some threat issue surrounding the alert, just something that you might be interested in researching if you see it on your network as it could be associated with something malicious.

-- DarienH - 2016-11-16


Topic revision: r3 - 2016-11-16 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats