We had sig 5474 fire on two sensors. After looking at the packet and then the Regex in the sig, this just doesn't make sense to me.
The Regex:
([%]20|[=])[Ss][Ee][Ll][Ee][Cc][Tt]([%]20|[+])[^\r\n\x00-\x19\x7F-\xFF]+([%]20|[+])[Ff][Rr][Oo][Mm]([%]20|[+])
The Packet:
4.0 (compatible;MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.1.4322)..Host: www.trustar-rs.com..Content-Length: 611..Connection: Keep-Alive..Cacheeep-Alive..Cachehe..Cookie: <removedforsecurity>=QXIPUNSdmzweb104CKQOO; RANDOM_ID=f6a8759283514372bfadf7d4677bd5f0....
Any input on this one?
Thanks.
-David