Snort and Sitescout

  • I have been running Snort for about a year, lately in blocking mode. I run a quite lenient rule set and are quite happy as it still catches quite a lot of unwanted packages entering or leaving my network. I am trying to find the reason for some services being slow (some Android apps and Youtube primarily).

    I can see quite a lot of outgoing traffic on "1:72049 sitescout" being blocked. What is it and is this a false positive or not?

  • Are you sure you copied that SID correctly? I can't find it in the Snort rules lookup site. I did a quick Google search for "Sitescout" and found this. The site describes itself as a self-serve advertising platform where apparently buyers "bid" for advertising space or something like that. I did not read all the documentation.

    What rule category is that rule from? Offhand I would think it's not malicious by itself, but if it is an ad server site, it's certainly possible for someone to compromise a server there and then it could become malicious.

Log in to reply