<div dir="ltr">This won't work on snort unless 443 is configured as an http port in your http_inspect config, which it generally is not. No biggie though we can drop http_header for snort....<div><br></div><div>Regards,</div>
<div><br></div><div>Will</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 26, 2013 at 2:35 PM, James Lay <span dir="ltr"><<a href="mailto:jlay@...3266..." target="_blank">jlay@...3320...266...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">And another (slow day)<br>
<br>
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"INDICATOR-COMPROMISED TROJ_NAIKON.A User-Agent"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2f|WEB"; http_header; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/" target="_blank">http://blog.<u></u>trendmicro.com/trendlabs-<u></u>security-intelligence/<u></u>targeted-attack-campaign-<u></u>hides-behind-ssl-<u></u>communication/</a>; classtype:trojan-activity; sid:10000050; rev:1;)<br>

<br>
I'm thinking file_data isn't needed as we're just looking at headers?<br>
<br>
James<br>
______________________________<u></u>_________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@...3694..." target="_blank">Emerging-sigs@...2570...<u></u>emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.<u></u>net/mailman/listinfo/emerging-<u></u>sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.<u></u>com</a><br>
The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!<br>
</blockquote></div><br></div>