[Snort-sigs] FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get

evilghost at ...3397... evilghost at ...3397...
Sun Mar 13 18:41:13 EDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/13/11 16:19, Jason Haar wrote:
> I found a hit from Emerging-sigs from last year about it as a FP too - I
> guess Sourceforge is a bit behind on this one? ;-)

Hi friends, I've seen this FP before and I believe it's an issue regarding
gratuitous nocase and insufficient string expansion/precision on the match.
Citrix was triggering the FP.

See
http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-February/012115.html

I'm sorry as I may be speculating with regard to VRT as I have no visibility
here.  I hope this information alleviates the need for a PCAP to correct the
issue, if indeed it is related to nocase.

I believe this issue has been corrected with ET and would be willing to work
with the SF team to resolve this FP.

- -- 
It has been said that "hate" is a powerful emotion, perhaps that's why I'm so
strong.

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJNfUgJAAoJENgimYXu6xOHEtoP/2LGGX4mk01Tt0hNzxFPs5Bf
v8SKWWNH29+MRsMEgw9uwyIdVabyf0ymzFvUU8di0YxNOm5AjZ7sWI0spCDcIx6D
gvxjrKfi8es8/5yCfzrvqa/dXstOsG4H7cCn4kmKsq8jtScoNEog1N/bVg/FX+mn
y93CYaRNymonHfegMZkknnohQHQs9SBPDlgPjJnx/oibWjJmibwDJFQmjviN2SZb
XJJP+5DB2TQ91EmlgNjQdTd5FhFtSwmK+mNmTPMiquCeVVahWrU5cjsfTFmXXacG
bmAAUO4zlAfrN6MuAQYQMeYG8NHQjvjtM93dZBxtz0NKFzCDKARDjzbun6pg8mrt
THTTFfJ+c2jrRPhgX0Zloh70ywlHhbaQ0Zu1O0j37Knirm/G3ofJDzs/C05gHwVe
SwdB5XiVwcWuxIThYXq++Ga0IsOgi69RuIYUbzv2bDCSpusJ0odQZKs8KfV72Nxe
Rb3syHt9xKgu7wodLwCv5Q3e7nNTIHtRh6nlhpR2BK7el1teamHdRMm7JNEGAUQI
zKYmPUVyL0oLzBcE57o6WjQT8BjErlTOIfM47N+T/7d5VdJLwpuKJbfe5wP3ebEV
0VNVI8hbHjaycBG87vrPekZQHBO1d7SPEoml/Ic35cx89mm5mtQxvV1UAjFlBq3Z
2llaSH7v32f2LwuT5jnI
=EjAu
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list