[Snort-users] IPHONE user agent?

Joel Esler jesler at ...1935...
Mon Dec 3 10:29:14 EST 2012


So, to give people an update about what this was…  fast_pattern:only; was slipped into the content match for one rule pack update awhile back, and it was immediately removed.  Jeff happened to get that one rule pack.

It's been fixed for some time.

If you experience this issue, please update the rule pack you are using.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Dec 2, 2012, at 11:37 AM, Joel Esler <jesler at ...1935...> wrote:

> It shouldn't be.  The User-Agent should be all in caps. Which isn't an iPhone. 
> 
> --
> Joel Esler
> Sent from my iPad 
> 
> On Dec 1, 2012, at 11:10 PM, Jeff Kell <jeff-kell at ...6282...> wrote:
> 
>> This "BLACKLIST User-Agent known malicious user-agent string IPHONE" sig
>> is going off all over the place.  Appears to be real iPhones (?)
>> 
>> Clarification?  Looks like a pre-baked detection criteria...
>> 
>> Jeff
>> 
>> 
>> ------------------------------------------------------------------------------
>> Keep yourself connected to Go Parallel: 
>> DESIGN Expert tips on starting your parallel project right.
>> http://goparallel.sourceforge.net/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121203/1c596455/attachment.html>


More information about the Snort-users mailing list