Snort mailing list archives
Question on SID 18358
From: "Lay, James" <james.lay () wincofoods com>
Date: Thu, 7 Apr 2011 10:42:21 -0600
So....does this rule: blacklist.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent string NSIS_INETLOAD"; flow:to_server,established; content:"User-Agent|3A| NSIS_INETLOAD"; nocase; http_header; metadata:impact_flag red, service http; reference:url,labs.snort.org/docs/18358.html; classtype:trojan-activity; sid:18358; rev:2;) apply to this link: http://installerstats.yahoo.com/appusage.asp User agent was NSIS_INETLOAD. Danke James
------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question on SID 18358 Lay, James (Apr 07)
- Re: Question on SID 18358 Matt Olney (Apr 08)
- Re: Question on SID 18358 Lay, James (Apr 08)
- Re: Question on SID 18358 Joel Esler (Apr 08)
- Re: Question on SID 18358 Lay, James (Apr 08)
- Re: Question on SID 18358 Matt Olney (Apr 08)