Snort mailing list archives
Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get
From: "evilghost () packetmail net" <evilghost () packetmail net>
Date: Sun, 13 Mar 2011 17:41:13 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/13/11 16:19, Jason Haar wrote:
I found a hit from Emerging-sigs from last year about it as a FP too - I guess Sourceforge is a bit behind on this one? ;-)
Hi friends, I've seen this FP before and I believe it's an issue regarding gratuitous nocase and insufficient string expansion/precision on the match. Citrix was triggering the FP. See http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-February/012115.html I'm sorry as I may be speculating with regard to VRT as I have no visibility here. I hope this information alleviates the need for a PCAP to correct the issue, if indeed it is related to nocase. I believe this issue has been corrected with ET and would be willing to work with the SF team to resolve this FP. - -- It has been said that "hate" is a powerful emotion, perhaps that's why I'm so strong. - -evilghost -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJNfUgJAAoJENgimYXu6xOHEtoP/2LGGX4mk01Tt0hNzxFPs5Bf v8SKWWNH29+MRsMEgw9uwyIdVabyf0ymzFvUU8di0YxNOm5AjZ7sWI0spCDcIx6D gvxjrKfi8es8/5yCfzrvqa/dXstOsG4H7cCn4kmKsq8jtScoNEog1N/bVg/FX+mn y93CYaRNymonHfegMZkknnohQHQs9SBPDlgPjJnx/oibWjJmibwDJFQmjviN2SZb XJJP+5DB2TQ91EmlgNjQdTd5FhFtSwmK+mNmTPMiquCeVVahWrU5cjsfTFmXXacG bmAAUO4zlAfrN6MuAQYQMeYG8NHQjvjtM93dZBxtz0NKFzCDKARDjzbun6pg8mrt THTTFfJ+c2jrRPhgX0Zloh70ywlHhbaQ0Zu1O0j37Knirm/G3ofJDzs/C05gHwVe SwdB5XiVwcWuxIThYXq++Ga0IsOgi69RuIYUbzv2bDCSpusJ0odQZKs8KfV72Nxe Rb3syHt9xKgu7wodLwCv5Q3e7nNTIHtRh6nlhpR2BK7el1teamHdRMm7JNEGAUQI zKYmPUVyL0oLzBcE57o6WjQT8BjErlTOIfM47N+T/7d5VdJLwpuKJbfe5wP3ebEV 0VNVI8hbHjaycBG87vrPekZQHBO1d7SPEoml/Ic35cx89mm5mtQxvV1UAjFlBq3Z 2llaSH7v32f2LwuT5jnI =EjAu -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Jason Haar (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Matt Olney (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get evilghost () packetmail net (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Matt Olney (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get Jason Haar (Mar 13)
- Re: FP on 1:18369:2 - BLACKLIST USER-AGENT known malicious user-agent string iexp-get evilghost () packetmail net (Mar 13)