FP on 2856495 - "ETPRO HUNTING If-Unmodified-Since Header with Microsoft BITS User-Agent"

kevin_branch · March 27, 2024, 2:13pm

Hi,

We are getting tons of FP hits on this rule in which the Host: header ends with cdn.office.net. I see we are already excluding other Windows/Microsoft domains and I presume we should add something like this to the rule:
content:!"office.net";endswith;
or
content:!"cdn.office.net";endswith;

Thanks
Kevin

jtaylor · March 27, 2024, 5:17pm

Thanks for the report Kevin, will take a look and see about getting the sig updated for todays release.

JT

Topic	Replies	Views
Ruleset Update Summary - 2023/04/18 - v10300 Ruleset Updates	327	April 18, 2023
Weekly Community Review - September 21, 2023 Announcements	288	September 22, 2023
Daily Ruleset Update Summary 2022/11/01 Ruleset Updates	274	November 1, 2022
Ruleset Update Summary - 2023/05/31 - v10336 Ruleset Updates	269	May 31, 2023
Ruleset Update Summary - 2022/12/09 - v10192 Ruleset Updates	375	December 9, 2022

FP on 2856495 - "ETPRO HUNTING If-Unmodified-Since Header with Microsoft BITS User-Agent"

Related topics