[Snort-sigs] Noction IRP Probe sig

James Lay jlay at ...3266...
Wed Dec 14 10:20:55 EST 2016


Been seeing these for months..they hit on data on syn packet, figured 
I'd sig it up:

alert tcp $EXTERNAL_NET any -> $HOME_NET 33434 (msg:"INFO Noction IRP 
Probe"; flow:stateless; flags:SP; content:"|4E4F4354494F4E20495250|"; 
classtype:bad-unknown; reference:url,www.noction.com/faq;sid:10000242; 
rev:1;)

James




More information about the Snort-sigs mailing list