Suggested pcre addition to 1:6251

[CunningPike <cunningpike () gmail com>]

Hi there,

I get a lot of false positives on the following rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT
Adware hotbar runtime detection - hostie user-agent";
flow:to_server,established; content:"User-Agent|3A| "; nocase;
content:"hostie"; distance:0; nocase; threshold:type limit, track
by_src, count 1, seconds 300; metadata:policy security-ips alert;
reference:url,www.spywareguide.com/product_show.php?id=481;
reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075474;
classtype:misc-activity; sid:6251; rev:5;)

from content like this:

GET /2.5.1/js/CF_insight.min.js HTTP/1.1..Accept: */*..Referer:
http://www.theweathernetwork.com/weather/cabc0308..Accept-Language:
en-us..Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)..Connection:
Keep-Alive..Host: scripthostie6.crowdfactory.com....

I'm wondering would the addition of the following pcre help keep the
match within the User-Agent field:

pcre:"/User-Agent:[^\x0D\x0A]*hostie.*/smi";

or would it allow for evasion of some kind.

If this is a could idea, there are probably other UA-based sigs that
could benefit from the same treatment.

Thoughts?

CP

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs