Home page logo

snort logo Snort mailing list archives

Re: [Snort-sigs] [Emerging-Sigs] TROJ_NAIKON.A sig
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 26 Apr 2013 13:52:54 -0600

On 2013-04-26 13:48, Will Metcalf wrote:
This wont work on snort unless 443 is configured as an http port in
your http_inspect config, which it generally is not. No biggie though
we can drop http_header for snort....



On Fri, Apr 26, 2013 at 2:35 PM, James Lay <jlay () slave-tothe-box net
[5]> wrote:

And another (slow day)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443
flow:to_server,established; content:"User-Agent|3A|
NOKIAN95|2f|WEB"; http_header; fast_pattern:only; metadata:policy
balanced-ips drop, policy security-ips drop, service http;

[1]; classtype:trojan-activity; sid:10000050; rev:1;)

Im thinking file_data isnt needed as were just looking at headers?


Ah that TOTALLY makes sense...I missed that...meh..it's Friday :D


Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]