[Snort-sigs] Sype Excersise
jlay at ...3266...
Thu May 16 18:27:02 EDT 2013
So this is more of an exercise...:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY
Leaked link via Skype pingback"; flow:to_server,established;
content:"HEAD"; http_method; content:"User-Agent|3A| -"; http_header;
content:"Referer|3A| -"; http_header;
classtype:bad-unknown; sid:10000061; rev:1)
From the FD post:
They have referrer and user agent set to a dash "-".
Not that I'll actually run this, but just thoughts on if there would be
a better way to write this up. Thanks all.
More information about the Snort-sigs