[Snort-sigs] Sype Excersise
wkitty42 at ...3507...
Thu May 16 20:33:11 EDT 2013
On 5/16/2013 18:27, James Lay wrote:
> So this is more of an exercise...:
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY
> Leaked link via Skype pingback"; flow:to_server,established;
> content:"HEAD"; http_method; content:"User-Agent|3A| -"; http_header;
> content:"Referer|3A| -"; http_header;
> classtype:bad-unknown; sid:10000061; rev:1)
> From the FD post:
> They have referrer and user agent set to a dash "-".
> Not that I'll actually run this, but just thoughts on if there would be
> a better way to write this up. Thanks all.
a lot of anonymizing "services" use dashes for those two fields, too...
"services" like norton's proxy filtering stuff and others of similar nature...
at least, they used to... i don't see them in my http logs so much any more,
though... not like i used to see them...
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-sigs