[Snort-sigs] FP on 5803

Alex Kirk akirk at ...435...
Thu Feb 17 14:34:44 EST 2011


Looks like it's "sort of" legit in that you were visiting a page affiliated
with the Myway.com people, but given that we have User-Agent based rules for
this toolbar as well, and that your U-A looks normal here, the rule is
misidentifying whether or not you have the toolbar installed (which would
have been the original point of the rule).

Since the U-A stuff should work better anyway, we'll just delete this rule.

On Thu, Feb 17, 2011 at 1:51 PM, Weir, Jason <jason.weir at ...3410...> wrote:

> Triggers just visiting this url
>
> http://apnews.myway.com/article/20110217/D9LEGDMG0.html
>
>
> GET
> /images/nocache/tr/gca/m.gif?rand=473750261&a=excite_myway_default_js&u=
> http%3A//apnews.myway.com/article/20110217/D9LEGDMG0.html&r=-1&w=5&k=&v=
> &g=&s=&h= HTTP/1.1
> Host: imgfarm.com
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13)
> Gecko/20101203 Firefox/3.6.13
> Accept: image/png,image/*;q=0.8,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 115
> Connection: keep-alive
> Referer: http://apnews.myway.com/article/20110217/D9LEGDMG0.html
>
> -J
>
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and
> updates.
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110217/f466ff17/attachment.html>


More information about the Snort-sigs mailing list