[Snort-sigs] FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get

evilghost at ...3397... evilghost at ...3397...
Sun Mar 13 19:22:30 EDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/13/11 17:58, Matt Olney wrote:
> Actually, in this case this isn't a false positive.

Thank you Matt for the clarification and explanation.  In the ET case the root
issue was terse string matching coupled with gratuitous nocase.  It seems the
VRT rule was not subjected to this oversight.

Kind Regards,
- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJNfVG1AAoJENgimYXu6xOHa1wP/0L6gG/uJ20oE/olnK1G9m4a
56/4PVREk2yXVUSWChWqFzDiLTSGqsmjtrR9lpCR7dqGVO/U1+pKFua/fXLL/dQX
Qo8E2VB84GStyNJO5/ms+5Raux1H6FWIxZgs67Ltk33DwzFfIGOJ+BWGj/Lje0pz
yIq5boChtKRUj+BBO//YUo2SeQl2WM1nnMKxeHbWyK0vjDKn8A/34IvTvIIe/Uro
RKycgIkYNRZYzXGrUKknrsCq3+Elh5fGl+7pa+iwQmu3wjzq299nsitI8ttlujUh
cX0/Owhhcf5k2uZBadMpjpnKUTjNfxODAZsjtK6kLxnzGTb0WdcyyR7YfdlFXFY5
b6ho6JUDRB74m8z0HIeuHMPaf0PifE/drVNs9rBHOPLf3C9aD2LuPC1gKnvxvQO2
KTPnGXKYqxbgcsCdGTC1t6jTL9nqDMnhHa7uPmovBr2yUH41Xy873m8QtpvHc5Na
TNbV9G4zMvd/2/kyXFfHZXoTBEUF8bHIePZ6dki9oiKlzx/Brvzn45I5KiTR322F
ciwpSD4v3M/Yt5Htl6XRGKQdYca5gF5cs+ENAdPyO8umPmgmldG7+kjs5nCoXWKZ
2AhEW0OkDx0z7EDvdpq3xmsSZO2JM89Es6xG0RNEUcByvC6rtKf/llAliJtqs7Fd
XxMBLvOf9xpN/6+929HC
=RaC2
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list