Snort mailing list archives
Re: Question on SID 18358
From: Matt Olney <molney () sourcefire com>
Date: Fri, 8 Apr 2011 10:37:58 -0400
The user agent applies to the client request and is not associated with a particular URL. If the application requesting the URL declares itself as User-Agent: NSIS_NETLOAD", then this rule will fire. Matt On Thu, Apr 7, 2011 at 12:42 PM, Lay, James <james.lay () wincofoods com>wrote:
So….does this rule: blacklist.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent string NSIS_INETLOAD"; flow:to_server,established; content:"User-Agent|3A| NSIS_INETLOAD"; nocase; http_header; metadata:impact_flag red, service http; reference:url, labs.snort.org/docs/18358.html; classtype:trojan-activity; sid:18358; rev:2;) apply to this link: http://installerstats.yahoo.com/appusage.asp User agent was NSIS_INETLOAD. Danke James ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question on SID 18358 Lay, James (Apr 07)
- Re: Question on SID 18358 Matt Olney (Apr 08)
- Re: Question on SID 18358 Lay, James (Apr 08)
- Re: Question on SID 18358 Joel Esler (Apr 08)
- Re: Question on SID 18358 Lay, James (Apr 08)
- Re: Question on SID 18358 Matt Olney (Apr 08)