[Snort-sigs] [Emerging-Sigs] TROJ_NAIKON.A sig
jlay at ...3266...
Fri Apr 26 15:52:54 EDT 2013
On 2013-04-26 13:48, Will Metcalf wrote:
> This wont work on snort unless 443 is configured as an http port in
> your http_inspect config, which it generally is not. No biggie though
> we can drop http_header for snort....
> On Fri, Apr 26, 2013 at 2:35 PM, James Lay <jlay at ...3266...
> > wrote:
>> And another (slow day)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 443
>> (msg:"INDICATOR-COMPROMISED TROJ_NAIKON.A User-Agent";
>> flow:to_server,established; content:"User-Agent|3A|
>> NOKIAN95|2f|WEB"; http_header; fast_pattern:only; metadata:policy
>> balanced-ips drop, policy security-ips drop, service http;
>> ; classtype:trojan-activity; sid:10000050; rev:1;)
>> Im thinking file_data isnt needed as were just looking at headers?
Ah that TOTALLY makes sense...I missed that...meh..it's Friday :D
More information about the Snort-sigs