Home page logo
/

snort logo Snort mailing list archives

Re: Sype Excersise
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 16 May 2013 20:33:11 -0400

On 5/16/2013 18:27, James Lay wrote:
So this is more of an exercise...:

alert tcp $EXTERNAL_NET any ->  $HOME_NET $HTTP_PORTS (msg:"POLICY
Leaked link via Skype pingback"; flow:to_server,established;
content:"HEAD"; http_method; content:"User-Agent|3A| -"; http_header;
content:"Referer|3A| -"; http_header;
reference:url,http://seclists.org/fulldisclosure/2013/May/78;
classtype:bad-unknown; sid:10000061; rev:1)

  From the FD post:
They have referrer and user agent set to a dash "-".

Not that I'll actually run this, but just thoughts on if there would be
a better way to write this up.  Thanks all.

a lot of anonymizing "services" use dashes for those two fields, too... 
"services" like norton's proxy filtering stuff and others of similar nature... 
at least, they used to... i don't see them in my http logs so much any more, 
though... not like i used to see them...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


  By Date           By Thread  

Current thread:
  • Sype Excersise James Lay (May 16)
    • Re: Sype Excersise waldo kitty (May 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault