SNORT keeps blocking FEDEX



  • Every since FEDEX got hit by a couple viruses last year, it gets routinely blocked by SNORT.  I've tried to find a common thread but I can't.  Has anyone else had issues with FEDEX being blocked often.

    I've allowed every IP I can associate with FEDEX.  Recently, I found this rule in "Blocked" by SNORT.  This one was associated with FEDEX and caused it to be blocked.

    96.16.205.130
    ET POLICY HTTP POST invalid method case outbound

    I found this to be an obscure Akamai IP.  What do they do again…..install stuff....deliver content....hhhm?



  • Akamai is a content distribution network (CDN).  Networks like that consist of many servers scattered around the world and they are designed to deliver content rapidly to huge numbers of users.  Large corporations will routinely host content on such networks in order to gain the advantages of huge bandwidth and geographically nearby sources of data for their customers.

    So Akamai itself is benign.  You are experiencing a false positive from that rule.  You can disable the rule if you wish.  Many of these rules are designed for special cases and do not necessarily apply in all situations.  I've found over the years that many rules are too sensitive, especially rules written around what HTTP data should look like.  The rules frequently strictly adhere to published standards for web content, but many commerical web sites (and web server engines) do not so strictly adhere to the web content standards.  Thus such rules will "false positive" on what is really not malicious content at all, but is just a site not strictly adhering to every paragraph of some rule about how web content should flow back and forth from server to client.

    Bill



  • Thanks, Bill.  Probably just pushing down ads.


Log in to reply