[Snort-sigs] Re: Fp ON 2001702
frank at ...1978...
Mon Jul 4 10:50:16 EDT 2005
On Mon, 2005-07-04 at 11:24 -0400, Michael Scheidell wrote:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
> "BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity"; flow:
> established,to_server; content:"User-Agent\: "; nocase;
> content:"Bundle"; nocase; classtype: policy-violation; sid: 2001702;
> Should we not use some type of offset or use pcre to make sure 'Bundle'
> comes after User-Agent?
> Maybe this should be looked at for all of the 'user-agent' strings?
Some time ago I went through all User Agent strings and added a distance
option to the actual agent name part. That way it was split up and the
search depth was limited to speed up rule processing and limit false
It seems that the newly entered rules don't follow that example. I'll go
through later today and add a distance/within to all two-part User-Agent
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-sigs