[Snort-sigs] Re: Fp ON 2001702

Frank Knobbe frank at ...1978...
Mon Jul 4 10:50:16 EDT 2005


On Mon, 2005-07-04 at 11:24 -0400, Michael Scheidell wrote:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
> "BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity"; flow:
> established,to_server; content:"User-Agent\: "; nocase;
> content:"Bundle"; nocase; classtype: policy-violation; sid: 2001702;
> rev:6;) 
> 
> Should we not use some type of offset or use pcre to make sure 'Bundle'
> comes after User-Agent?
> Maybe this should be looked at for all of the 'user-agent' strings?

Some time ago I went through all User Agent strings and added a distance
option to the actual agent name part. That way it was split up and the
search depth was limited to speed up rule processing and limit false
positives.

It seems that the newly entered rules don't follow that example. I'll go
through later today and add a distance/within to all two-part User-Agent
sigs.

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050704/92dd74c1/attachment.sig>


More information about the Snort-sigs mailing list