[Snort-sigs] Rule 17407 produces false positives on Yahoo photo gallery viewer

Steve steve.bachelor at ...2420...
Mon Oct 1 16:50:44 EDT 2012

An HTTP GET request included the string [lots of
characters]%3dv.hLPtFJpBs-%2f[lots more characters]

That's obviously not a Windows help file download request. Should I add
a regex to the rule looking for '\.hlp(?![a-zA-Z0-9])'  or something
like that?

More information about the Snort-sigs mailing list