Snort mailing list archives
Rule question.. SID 1:1000103
From: Jeremy Hoel <jthoel () gmail com>
Date: Wed, 13 Mar 2013 21:18:43 +0000
It seems all the good sites for rule info and research are gone (rootedyour.com returns no data for the sid) .. I thought this was an ET rule from earlier but it's coming from the VRT Rules.. The rule is: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"JOY9m user-agent"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"JOY9m"; nocase; http_header; classtype:misc-activity; sid:1000103; rev:1;) But there's no CVE or any other information to read about the rule.. just that it looks for Joy9m along with User-Agent. Lately this has been hitting on Joy0m in cookie data.. so I know it's a FP, but I want to find out if it can be disabled, but there not notes.. and my google-fu is failing me. Any one have any ideas? ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rule question.. SID 1:1000103 Jeremy Hoel (Mar 13)
- Re: Rule question.. SID 1:1000103 waldo kitty (Mar 13)
- Re: Rule question.. SID 1:1000103 Jeremy Hoel (Mar 13)
- Re: Rule question.. SID 1:1000103 waldo kitty (Mar 13)