Home page logo

snort logo Snort mailing list archives

Sype Excersise
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 16 May 2013 16:27:02 -0600

So this is more of an exercise...:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY 
Leaked link via Skype pingback"; flow:to_server,established; 
content:"HEAD"; http_method; content:"User-Agent|3A| -"; http_header; 
content:"Referer|3A| -"; http_header; 
classtype:bad-unknown; sid:10000061; rev:1)

 From the FD post:
They have referrer and user agent set to a dash "-".

Not that I'll actually run this, but just thoughts on if there would be 
a better way to write this up.  Thanks all.


AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]