Home page logo

snort logo Snort mailing list archives

Re: Sype Excersise
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 16 May 2013 20:33:11 -0400

On 5/16/2013 18:27, James Lay wrote:
So this is more of an exercise...:

alert tcp $EXTERNAL_NET any ->  $HOME_NET $HTTP_PORTS (msg:"POLICY
Leaked link via Skype pingback"; flow:to_server,established;
content:"HEAD"; http_method; content:"User-Agent|3A| -"; http_header;
content:"Referer|3A| -"; http_header;
classtype:bad-unknown; sid:10000061; rev:1)

  From the FD post:
They have referrer and user agent set to a dash "-".

Not that I'll actually run this, but just thoughts on if there would be
a better way to write this up.  Thanks all.

a lot of anonymizing "services" use dashes for those two fields, too... 
"services" like norton's proxy filtering stuff and others of similar nature... 
at least, they used to... i don't see them in my http logs so much any more, 
though... not like i used to see them...

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
  • Sype Excersise James Lay (May 16)
    • Re: Sype Excersise waldo kitty (May 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]