Snort mailing list archives
Sype Excersise
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 16 May 2013 16:27:02 -0600
So this is more of an exercise...: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY Leaked link via Skype pingback"; flow:to_server,established; content:"HEAD"; http_method; content:"User-Agent|3A| -"; http_header; content:"Referer|3A| -"; http_header; reference:url,http://seclists.org/fulldisclosure/2013/May/78; classtype:bad-unknown; sid:10000061; rev:1) From the FD post: They have referrer and user agent set to a dash "-". Not that I'll actually run this, but just thoughts on if there would be a better way to write this up. Thanks all. James ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Sype Excersise James Lay (May 16)
- Re: Sype Excersise waldo kitty (May 16)