Snort mailing list archives
sid:36535
From: Zied Naas <Zied.Naas () abovesecurity com>
Date: Mon, 26 Oct 2015 16:22:40 +0000
Hi all, I would like to know why alerts are triggering for the payload containing only the first content "return but not the others. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page detected"; flow:to_client, established; file_data; content:"return"; content:"join"; within:8; content:"MSIE"; distance:0; content:"navigator"; within:60; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36535; rev:1;) Regards, Zied Naas
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sid:36535 Zied Naas (Oct 26)
- Re: sid:36535 wkitty42 (Oct 26)
- Re: sid:36535 Joel Esler (jesler) (Oct 26)
- Re: sid:36535 Jefferson, Shawn (Oct 29)
- Re: sid:36535 James Lay (Oct 29)
- Re: sid:36535 Joel Esler (jesler) (Oct 26)
- Re: sid:36535 Avery Rozar (Nov 02)
- Re: sid:36535 Joel Esler (jesler) (Nov 02)
- Re: sid:36535 wkitty42 (Oct 26)