[Snort-sigs] Suggested pcre addition to 1:6251
cunningpike at ...2420...
Wed Nov 24 14:31:06 EST 2010
I get a lot of false positives on the following rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT
Adware hotbar runtime detection - hostie user-agent";
flow:to_server,established; content:"User-Agent|3A| "; nocase;
content:"hostie"; distance:0; nocase; threshold:type limit, track
by_src, count 1, seconds 300; metadata:policy security-ips alert;
classtype:misc-activity; sid:6251; rev:5;)
from content like this:
GET /2.5.1/js/CF_insight.min.js HTTP/1.1..Accept: */*..Referer:
en-us..Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)..Connection:
I'm wondering would the addition of the following pcre help keep the
match within the User-Agent field:
or would it allow for evasion of some kind.
If this is a could idea, there are probably other UA-based sigs that
could benefit from the same treatment.
More information about the Snort-sigs