Avoid Adobe related false-positives

Avoid Adobe related false-positives such as Adobe Synchronizer

rules/proxy/proxy_ua_susp.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects suspicious malformed user agent strings in proxy logs
 author: Florian Roth
 date: 2017/07/08
-modified: 2022/07/07
+modified: 2022/08/08
 references:
     - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
 logsource:
@@ -33,7 +33,11 @@ detection:
             - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
             - 'HTTPS'  # https://twitter.com/stvemillertime/status/1204437531632250880
     falsepositives:
-        c-useragent: 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
+        - c-useragent: 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
+        - r-dns|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
+          - '.acrobat.com'
+          - '.adobe.com'
+          - '.adobe.io'
     condition: 1 of selection* and not falsepositives
 fields:
     - ClientIP