<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
I would suggest disabling that rule all together.  That pattern hasn’t been used in years.
<div class=""><br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class=""><b style="font-family: Calibri, sans-serif; font-size: 10px;" class=""><font color="#5e5e5e" class="">--</font></b></div>
<div style="font-size: 14px;" class=""><b style="font-family: Calibri, sans-serif; font-size: 12px;" class=""><font color="#5e5e5e" class="">Joel Esler </font></b><span style="font-family: Calibri, sans-serif; font-size: 12px;" class="">| </span><b style="font-family: Calibri, sans-serif; font-size: 12px;" class=""><font color="#0096ff" class="">Talos:</font></b><span style="font-family: Calibri, sans-serif; font-size: 12px;" class=""> M</span><font color="#424242" style="font-family: Calibri, sans-serif; font-size: 12px;" class="">anager
 | <a href="mailto:jesler@...3865..." class="">jesler@...3865...</a></font></div>
<div class=""><font color="#424242" style="font-family: Calibri, sans-serif; font-size: 10px;" class=""><br class="">
</font></div>
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
<br class="Apple-interchange-newline">
</div>
<br class="">
<div style="">
<blockquote type="cite" class="">
<div class="">On Jun 6, 2017, at 3:47 PM, John G <<a href="mailto:drterdnugget@...2420..." class="">drterdnugget@...2420...</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">I have this alert that is triggering on a legitimate site.  
<div class=""><br class="">
</div>
<div class=""><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px" class="">EXPLOIT-KIT Angler exploit kit news uri structure (1:38439:2)</span><br class="">
</div>
<div class=""><span style="color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px" class=""><br class="">
</span></div>
<div class="">
<div class="gmail-section" id="gmail-section_1_0_0" style="margin:0px 0px 8px;padding:0px;color:rgb(51,51,51);font-family:verdana,sans-serif;font-size:10.6667px">
 
<table class="gmail-simple-table gmail-content" style="font-size:8pt;border-collapse:collapse;border:none;padding:0px;margin:0px;line-height:16px;vertical-align:middle">
<tbody class="">
<tr class="">
<td style="padding:2px 8px;font-size:8pt;line-height:14px;font-family:verdana,sans-serif;vertical-align:baseline" class="">
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit news uri structure"; flow:to_server,established; content:"/news/"; fast_pattern; http_uri; content:"/"; within:5; distance:1; http_uri; content:"/"; within:5; distance:1;
 http_uri; content:"/"; within:5; distance:1; http_uri; pcre:"/^\/news\/([0-9]+\/){3}[0-9]{5,10}(\.html)?$/U"; metadata:impact_flag red, policy max-detect-ips drop, service http; classtype:trojan-activity; sid:38439; rev:2; )<br class="">
<br class="">
<br class="">
It is triggering because of this site: <a href="http://www/" class="">http://www</a>[.]wenxuecity[.]com/news/2017/06/06/6293116.html<br class="">
<br class="">
How could we go about whitelisting that by editing the Snort rule? <br class="">
<br class="">
Thanks, <br class="">
John <br class="">
<br class="">
<br class="">
<br class="">
<br class="">
<br class="">
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
------------------------------------------------------------------------------<br class="">
Check out the vibrant tech community on one of the world's most<br class="">
engaging tech sites, <a href="http://Slashdot.org" class="">Slashdot.org</a>! <a href="http://sdm.link/slashdot_______________________________________________" class="">
http://sdm.link/slashdot_______________________________________________</a><br class="">
Snort-sigs mailing list<br class="">
<a href="mailto:Snort-sigs@lists.sourceforge.net" class="">Snort-sigs@lists.sourceforge.net</a><br class="">
https://lists.sourceforge.net/lists/listinfo/snort-sigs<br class="">
<br class="">
http://www.snort.org<br class="">
<br class="">
Please visit http://blog.snort.org for the latest news about Snort!<br class="">
<br class="">
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>