[Snort-sigs] (no subject)

lists at ...3397... lists at ...3397...
Mon Mar 25 16:30:44 EDT 2013


On 03/25/2013 03:16 PM, alex dina wrote:
> alert tcp $HOME_NET any <> $EXTERNAL_NET 80 (msg:"Known Intrusion Set DNS beacon
> over port 80"; flow:established,to_server; content: "jiji.com"; ! “kijiji.com”;
> nocase; reference:"High Side SpreadSheet"; rev:2; classtype:unknown; )

alert tcp $HOME_NET any <> $EXTERNAL_NET 80 (msg:"Known Intrusion Set DNS beacon
over port 80"; flow:established,to_server; content: "jiji.com";
fast_pattern:only; content:!"kijiji.com"; nocase; reference:"High Side
SpreadSheet"; classtype:bad-unknown; six:x; rev:1;)




More information about the Snort-sigs mailing list