[Snort-sigs] [Emerging-Sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)

Joel Esler jesler at ...435...
Tue May 7 11:34:26 EDT 2013


On May 6, 2013, at 5:31 PM, Nathan <nathan at ...3397...> wrote:
> On May 6, 2013, at 13:37, Joel Esler <jesler at ...435...> wrote:
> 
>> Looking at what you are intending here, I think you mean it the other way (HOME_NET -> $EXTERNAL_NET)
> 
> Neg, was looking for a compromised site serving it up to visitors and subsequent compromise with the fake Opera UA.  Looking at local web compromise might be good/valid too.  I think waldo confused us :)

if that was the intention, then the rule should be written 

$HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (flow:to_client,established) yes?

Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130507/b1b82e02/attachment.html>


More information about the Snort-sigs mailing list