[Snort-sigs] [Emerging-Sigs] TROJ_NAIKON.A sig
wmetcalf at ...3525...
Fri Apr 26 15:48:40 EDT 2013
This won't work on snort unless 443 is configured as an http port in your
http_inspect config, which it generally is not. No biggie though we can
drop http_header for snort....
On Fri, Apr 26, 2013 at 2:35 PM, James Lay <jlay at ...3266...> wrote:
> And another (slow day)
> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"INDICATOR-COMPROMISED
> TROJ_NAIKON.A User-Agent"; flow:to_server,established;
> content:"User-Agent|3A| NOKIAN95|2f|WEB"; http_header; fast_pattern:only;
> metadata:policy balanced-ips drop, policy security-ips drop, service http;
> classtype:trojan-activity; sid:10000050; rev:1;)
> I'm thinking file_data isn't needed as we're just looking at headers?
> Emerging-sigs mailing list
> Emerging-sigs at ...2570...**emergingthreats.net<Emerging-sigs at ...3694...>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.**com <http://www.emergingthreatspro.com>
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs