Re: Question on SID 18358

[Matt Olney <molney () sourcefire com>]

The user agent applies to the client request and is not associated with a
particular URL.  If the application requesting the URL declares itself as
User-Agent: NSIS_NETLOAD", then this rule will fire.

Matt

On Thu, Apr 7, 2011 at 12:42 PM, Lay, James <james.lay () wincofoods com>wrote:

> So….does this rule:
>
>
>
> blacklist.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"BLACKLIST USER-AGENT known malicious user-agent string NSIS_INETLOAD";
> flow:to_server,established; content:"User-Agent|3A| NSIS_INETLOAD"; nocase;
> http_header; metadata:impact_flag red, service http; reference:url,
> labs.snort.org/docs/18358.html; classtype:trojan-activity; sid:18358;
> rev:2;)
>
>
>
> apply to this link:
>
>
>
> http://installerstats.yahoo.com/appusage.asp
>
>
>
> User agent was NSIS_INETLOAD.
>
>
>
> Danke
>
>
>
> James
>
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users