[Snort-users] Question on SID 18358

Matt Olney molney at ...1935...
Fri Apr 8 10:37:58 EDT 2011


The user agent applies to the client request and is not associated with a
particular URL.  If the application requesting the URL declares itself as
User-Agent: NSIS_NETLOAD", then this rule will fire.

Matt

On Thu, Apr 7, 2011 at 12:42 PM, Lay, James <james.lay at ...15009...>wrote:

> So….does this rule:
>
>
>
> blacklist.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"BLACKLIST USER-AGENT known malicious user-agent string NSIS_INETLOAD";
> flow:to_server,established; content:"User-Agent|3A| NSIS_INETLOAD"; nocase;
> http_header; metadata:impact_flag red, service http; reference:url,
> labs.snort.org/docs/18358.html; classtype:trojan-activity; sid:18358;
> rev:2;)
>
>
>
> apply to this link:
>
>
>
> http://installerstats.yahoo.com/appusage.asp
>
>
>
> User agent was NSIS_INETLOAD.
>
>
>
> Danke
>
>
>
> James
>
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110408/24478b5e/attachment.html>


More information about the Snort-users mailing list