Rule question.. SID 1:1000103

[Jeremy Hoel <jthoel () gmail com>]

It seems all the good sites for rule info and research are gone
(rootedyour.com returns no data for the sid) .. I thought this was an
ET rule from earlier but it's coming from the VRT Rules..

The rule is:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"JOY9m
user-agent"; flow:to_server,established; content:"User-Agent|3A|";
nocase; http_header; content:"JOY9m"; nocase; http_header;
classtype:misc-activity; sid:1000103; rev:1;)

But there's no CVE or any other information to read about the rule..
just that it looks for Joy9m along with User-Agent.  Lately this has
been hitting on Joy0m in cookie data.. so I know it's a FP, but I want
to find out if it can be disabled, but there not notes..  and my
google-fu is failing me.

Any one have any ideas?

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!