Snort mailing list archives
Noction IRP Probe sig
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 14 Dec 2016 08:20:55 -0700
Been seeing these for months..they hit on data on syn packet, figured I'd sig it up: alert tcp $EXTERNAL_NET any -> $HOME_NET 33434 (msg:"INFO Noction IRP Probe"; flow:stateless; flags:SP; content:"|4E4F4354494F4E20495250|"; classtype:bad-unknown; reference:url,www.noction.com/faq;sid:10000242; rev:1;) James ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Noction IRP Probe sig James Lay (Dec 14)
- Re: Noction IRP Probe sig Joshua Williams (Dec 14)
- Re: [Emerging-Sigs] Noction IRP Probe sig Will Metcalf (Dec 14)