tag:blogger.com,1999:blog-2672754150485551359.post6594185715836831600..comments2009-05-23T06:26:44.047-04:00Security Shoggothhttp://www.blogger.com/profile/15411793726236555303securityshoggoth@gmail.comBlogger1125tag:blogger.com,1999:blog-2672754150485551359.post-49248851400876112992009-05-23T06:26:44.047-04:002009-05-23T06:26:44.047-04:00I recommend you drop the &lt;&lt; from the scan: /OpenAction /JS<br />&lt;&lt; indicates the start of the dictionary, and keys inside the dictionary can appear in random order.<br /><br />And to increase the probability the snort rule only triggers for PDF documents, add %%EOF too.Didier Stevenshttp://www.blogger.com/profile/17537511475658709281noreply@blogger.com