[Snort-sigs] Fw: Snort Rules

waldo kitty wkitty42 at ...3507...
Thu Feb 14 19:24:55 EST 2013


On 2/14/2013 17:28, alex dina wrote:
> Also, can you please explain what these rule are looking for in a data packet?
> Thank you!
>
> alert tcp any any -> any any (msg:"Taidoor trojan - notify Threat Cell";
> content:"GET /"; content:".asp?est="; content:"&hn="; content:"&ha=";
> sid:4200455; rev:1;)


what is there to explain? it is very simple... it is looking for content blocks 
of the following...

   GET /
   .asp?est=
   &hn=
   &ha=

all must appear in the same packet...




More information about the Snort-sigs mailing list