Suricata

The attached signature should fire when processing the attached pcap. It is a bad rule, but it should fire none the less ;-).

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/5.0|0d 0a|"; nocase; uricontent:!"|0d 0a|Host\: download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection\: Close|0d 0a 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; sid:2009295; rev:6;)

modifying uricontent:!"|0d 0a|Host\: download.releasenotes.nokia.com"; to be content:!"|0d 0a|Host\: download.releasenotes.nokia.com"; causes the sig to fire but it should fire with uricontent as well.

src/suricata c suricata.yaml -s 2009295.rule -r 2009295.pcap -l ./
...
[686] 28/6/2010 - 13:56:01 - (alert-fastlog.c:255) <Info> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 0
[686] 28/6/2010 -- 13:56:01 - (alert-unified2-alert.c:581) <Info> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 0 alerts
[686] 28/6/2010 -- 13:56:01 - (log-httplog.c:396) <Info> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 1