[Emerging-Sigs] MyWebSearch Toolbar Traffic (Agent)

Matt Jonkman jonkman at jonkmans.com
Thu Jan 8 11:00:23 EST 2009

Hmmm, that's a bad FP. And looking at that sig, I think we're best
dropping it. The current versions of MyWay use a distinct user-agent
which we do have a sig for.

I'll remove the sig. It's obsolete.

Thanks for the report!!


James wrote:
> Hi,
> I've received several hundred false-positives for one of my users on this
> signature:
> MyWebSearch Toolbar Traffic (Agent)"; flow: to_server,established; content:"
> MyWay"; nocase; classtype:trojan-activity; sid: 2001662; rev:9;)
> It turns out a cookie on the BBC news website contains "; myway=default" at
> the end.
> Let me know if you need more info than that.
> Thanks
> James
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list