Network Client Detection
Match patterns that begin with the ^ symbol mean at least one line in the packet payload must begin with the following pattern. Match patterns that begin with the ! symbol indicate that the string must NOT match anything in the packet payload. In this case, the ! and ^ symbols are combined to indicate that NNM should not evaluate any packet whose payload contains a line starting with the pattern
The ^ is more expensive to evaluate than the > symbol. So, while both match patterns
><pattern> would find
<pattern> at the beginning of a packet payload, the use of > is more desirable as it is less costly. Use ^ when looking for the occurrence of a string at the beginning of a line, but not at the beginning of the packet payload. In the latter case, use the > character instead.
name=Buffer overflow in multiple IMAP clients
description=The remote e-mail client is Mozilla 1.3 or 1.4a which is vulnerable to a boundary condition error whereby a malicious IMAP server may be able to crash or execute code on the client.
solution=Upgrade to either 1.3.1 or 1.4a
regex=^User-Agent: Mozilla/.* \(.*rv:(1\.3|1\.4a)