Snort mailing list archives

Proposed Modification, reduction of false positives in SID 7829

From: "evilghost () packetmail net" <evilghost () packetmail net>
Date: Tue, 6 Oct 2009 15:27:40 -0500

I am see false positives on SID 7829 in spyware-put.rules due to the 
nocase content matching on "Gator", things like "Akregator/1.5.1; 
syndication" match on this.  Rather than using the negated content 
matches to eliminate the false positives (see the current FeedDemon 
negated match) I propose the content match be changed to content:" 
Gator" from content:"Gator".  The pcre would then no longer be necessary 
as well.

Perhaps even a simple content match:

content:"|0d 0a|User-Agent|3a| Gator"; nocase

-evilghost

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Proposed Modification, reduction of false positives in SID 7829 evilghost () packetmail net (Oct 06)