snort-sigs February 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] FP on 5803

Re: [Snort-sigs] FP on 5803

From: Alex Kirk <akirk_at_nospam>
Date: Thu Feb 17 2011 - 19:34:44 GMT
To: "Weir, Jason" <jason.weir@nhrs.org>

Looks like it's "sort of" legit in that you were visiting a page affiliated
with the Myway.com people, but given that we have User-Agent based rules for
this toolbar as well, and that your U-A looks normal here, the rule is
misidentifying whether or not you have the toolbar installed (which would
have been the original point of the rule).

Since the U-A stuff should work better anyway, we'll just delete this rule.

On Thu, Feb 17, 2011 at 1:51 PM, Weir, Jason <jason.weir@nhrs.org> wrote:

> Triggers just visiting this url
>
> http://apnews.myway.com/article/20110217/D9LEGDMG0.html
>
>
> GET
> /images/nocache/tr/gca/m.gif?rand=473750261&a=excite_myway_default_js&u=
> http%3A//apnews.myway.com/article/20110217/D9LEGDMG0.html&r=-1&w=5&k=&v=
> &g=&s=&h= HTTP/1.1
> Host: imgfarm.com
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13)
> Gecko/20101203 Firefox/3.6.13
> Accept: image/png,image/*;q=0.8,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 115
> Connection: keep-alive
> Referer: http://apnews.myway.com/article/20110217/D9LEGDMG0.html
>
> -J
>
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and
> updates.
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>

-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk@sourcefire.com

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org