[Snort-users] Question on SID 18358

Lay, James james.lay at ...15009...
Thu Apr 7 12:42:21 EDT 2011

So....does this rule:


blacklist.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLACKLIST USER-AGENT known malicious user-agent string
NSIS_INETLOAD"; flow:to_server,established; content:"User-Agent|3A|
NSIS_INETLOAD"; nocase; http_header; metadata:impact_flag red, service
http; reference:url,labs.snort.org/docs/18358.html;
classtype:trojan-activity; sid:18358; rev:2;)


apply to this link:




User agent was NSIS_INETLOAD.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110407/6f5140f0/attachment.html>

More information about the Snort-users mailing list