[Snort-sigs] Suggested pcre addition to 1:6251

CunningPike cunningpike at ...2420...
Wed Nov 24 14:31:06 EST 2010


Hi there,

I get a lot of false positives on the following rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT
Adware hotbar runtime detection - hostie user-agent";
flow:to_server,established; content:"User-Agent|3A| "; nocase;
content:"hostie"; distance:0; nocase; threshold:type limit, track
by_src, count 1, seconds 300; metadata:policy security-ips alert;
reference:url,www.spywareguide.com/product_show.php?id=481;
reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075474;
classtype:misc-activity; sid:6251; rev:5;)

from content like this:

GET /2.5.1/js/CF_insight.min.js HTTP/1.1..Accept: */*..Referer:
http://www.theweathernetwork.com/weather/cabc0308..Accept-Language:
en-us..Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)..Connection:
Keep-Alive..Host: scripthostie6.crowdfactory.com....

I'm wondering would the addition of the following pcre help keep the
match within the User-Agent field:

pcre:"/User-Agent:[^\x0D\x0A]*hostie.*/smi";

or would it allow for evasion of some kind.

If this is a could idea, there are probably other UA-based sigs that
could benefit from the same treatment.

Thoughts?

CP




More information about the Snort-sigs mailing list