[Snort-sigs] Proposed Modification, reduction of false positives in SID 7829

evilghost at ...3397... evilghost at ...3397...
Tue Oct 6 16:27:40 EDT 2009


I am see false positives on SID 7829 in spyware-put.rules due to the 
nocase content matching on "Gator", things like "Akregator/1.5.1; 
syndication" match on this.  Rather than using the negated content 
matches to eliminate the false positives (see the current FeedDemon 
negated match) I propose the content match be changed to content:" 
Gator" from content:"Gator".  The pcre would then no longer be necessary 
as well.

Perhaps even a simple content match:

content:"|0d 0a|User-Agent|3a| Gator"; nocase

-evilghost




More information about the Snort-sigs mailing list