[Snort-sigs] Fw: Snort Rules

waldo kitty wkitty42 at ...3507...
Thu Feb 14 19:24:55 EST 2013

On 2/14/2013 17:28, alex dina wrote:
> Also, can you please explain what these rule are looking for in a data packet?
> Thank you!
> alert tcp any any -> any any (msg:"Taidoor trojan - notify Threat Cell";
> content:"GET /"; content:".asp?est="; content:"&hn="; content:"&ha=";
> sid:4200455; rev:1;)

what is there to explain? it is very simple... it is looking for content blocks 
of the following...

   GET /

all must appear in the same packet...

More information about the Snort-sigs mailing list