[Snort-users] Rule question.. SID 1:1000103

Jeremy Hoel jthoel at ...11827...
Wed Mar 13 17:18:43 EDT 2013


It seems all the good sites for rule info and research are gone
(rootedyour.com returns no data for the sid) .. I thought this was an
ET rule from earlier but it's coming from the VRT Rules..

The rule is:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"JOY9m
user-agent"; flow:to_server,established; content:"User-Agent|3A|";
nocase; http_header; content:"JOY9m"; nocase; http_header;
classtype:misc-activity; sid:1000103; rev:1;)

But there's no CVE or any other information to read about the rule..
just that it looks for Joy9m along with User-Agent.  Lately this has
been hitting on Joy0m in cookie data.. so I know it's a FP, but I want
to find out if it can be disabled, but there not notes..  and my
google-fu is failing me.

Any one have any ideas?




More information about the Snort-users mailing list