Looks like it's "sort of" legit in that you were visiting a page affiliated with the Myway.com people, but given that we have User-Agent based rules for this toolbar as well, and that your U-A looks normal here, the rule is misidentifying whether or not you have the toolbar installed (which would have been the original point of the rule).<div>
<br></div><div>Since the U-A stuff should work better anyway, we'll just delete this rule.<br><br><div class="gmail_quote">On Thu, Feb 17, 2011 at 1:51 PM, Weir, Jason <span dir="ltr"><<a href="mailto:jason.weir@...3410...">jason.weir@...3410...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Triggers just visiting this url<br>
<br>
<a href="http://apnews.myway.com/article/20110217/D9LEGDMG0.html" target="_blank">http://apnews.myway.com/article/20110217/D9LEGDMG0.html</a><br>
<br>
<br>
GET<br>
/images/nocache/tr/gca/m.gif?rand=473750261&a=excite_myway_default_js&u=<br>
http%3A//<a href="http://apnews.myway.com/article/20110217/D9LEGDMG0.html&r=-1&w=5&k=&v=
&g=&s=&h=" target="_blank">apnews.myway.com/article/20110217/D9LEGDMG0.html&r=-1&w=5&k=&v=<br>
&g=&s=&h=</a> HTTP/1.1<br>
Host: <a href="http://imgfarm.com" target="_blank">imgfarm.com</a><br>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13)<br>
Gecko/20101203 Firefox/3.6.13<br>
Accept: image/png,image/*;q=0.8,*/*;q=0.5<br>
Accept-Language: en-us,en;q=0.5<br>
Accept-Encoding: gzip,deflate<br>
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br>
Keep-Alive: 115<br>
Connection: keep-alive<br>
Referer: <a href="http://apnews.myway.com/article/20110217/D9LEGDMG0.html" target="_blank">http://apnews.myway.com/article/20110217/D9LEGDMG0.html</a><br>
<br>
-J<br>
<br>
<br>
_____________________________________________________________________________________________<br>
<br>
Please visit <a href="http://www.nhrs.org" target="_blank">www.nhrs.org</a> to subscribe to NHRS email announcements and updates.<br>
------------------------------------------------------------------------------<br>
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:<br>
Pinpoint memory and threading errors before they happen.<br>
Find and fix more than 250 security defects in the development cycle.<br>
Locate bottlenecks in serial and parallel code that limit performance.<br>
<a href="http://p.sf.net/sfu/intel-dev2devfeb" target="_blank">http://p.sf.net/sfu/intel-dev2devfeb</a><br>
_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...639...forge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>
<a href="http://www.snort.org" target="_blank">http://www.snort.org</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Alex Kirk<br>AEGIS Program Lead<br>Sourcefire Vulnerability Research Team<br>+1-410-423-1937<br><a href="mailto:alex.kirk@...435...">alex.kirk@...435...</a><br>

</div>