[Snort-users] Question on SID 18358

Lay, James james.lay at ...15009...
Thu Apr 7 12:42:21 EDT 2011


So....does this rule:

 

blacklist.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLACKLIST USER-AGENT known malicious user-agent string
NSIS_INETLOAD"; flow:to_server,established; content:"User-Agent|3A|
NSIS_INETLOAD"; nocase; http_header; metadata:impact_flag red, service
http; reference:url,labs.snort.org/docs/18358.html;
classtype:trojan-activity; sid:18358; rev:2;)

 

apply to this link:

 

http://installerstats.yahoo.com/appusage.asp

 

User agent was NSIS_INETLOAD.

 

Danke

 

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110407/6f5140f0/attachment.html>


More information about the Snort-users mailing list