[Snort-sigs] FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get
Jason.Haar at ...651...
Sun Mar 13 17:19:55 EDT 2011
We just had this trigger when a user downloaded an update from Baidu.com
The URLs were
The rule is a combination of a User-Agent match and a
"metadata:impact_flag" (does the latter mean there's some extra checks
going on or is that simply a classification tag?)
I found a hit from Emerging-sigs from last year about it as a FP too - I
guess Sourceforge is a bit behind on this one? ;-)
I can ship the PCAP if you want it (it's got the user's cookies - so I
won't publish here)
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-sigs