[Snort-users] Rule question.. SID 1:1000103
jthoel at ...11827...
Wed Mar 13 17:18:43 EDT 2013
It seems all the good sites for rule info and research are gone
(rootedyour.com returns no data for the sid) .. I thought this was an
ET rule from earlier but it's coming from the VRT Rules..
The rule is:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"JOY9m
user-agent"; flow:to_server,established; content:"User-Agent|3A|";
nocase; http_header; content:"JOY9m"; nocase; http_header;
classtype:misc-activity; sid:1000103; rev:1;)
But there's no CVE or any other information to read about the rule..
just that it looks for Joy9m along with User-Agent. Lately this has
been hitting on Joy0m in cookie data.. so I know it's a FP, but I want
to find out if it can be disabled, but there not notes.. and my
google-fu is failing me.
Any one have any ideas?
More information about the Snort-users