The user agent applies to the client request and is not associated with a particular URL.  If the application requesting the URL declares itself as User-Agent: NSIS_NETLOAD", then this rule will fire.<div><br></div><div>
Matt<br><br><div class="gmail_quote">On Thu, Apr 7, 2011 at 12:42 PM, Lay, James <span dir="ltr"><<a href="mailto:james.lay@...15009...">james.lay@...15009...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal">So….does this rule:</p><p class="MsoNormal"> </p><p class="MsoNormal">blacklist.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent string NSIS_INETLOAD"; flow:to_server,established; content:"User-Agent|3A| NSIS_INETLOAD"; nocase; http_header; metadata:impact_flag red, service http; reference:url,<a href="http://labs.snort.org/docs/18358.html" target="_blank">labs.snort.org/docs/18358.html</a>; classtype:trojan-activity; sid:18358; rev:2;)</p>
<p class="MsoNormal"> </p><p class="MsoNormal">apply to this link:</p><p class="MsoNormal"> </p><p class="MsoNormal"><a href="http://installerstats.yahoo.com/appusage.asp" target="_blank">http://installerstats.yahoo.com/appusage.asp</a></p>
<p class="MsoNormal"> </p><p class="MsoNormal">User agent was NSIS_INETLOAD.</p><p class="MsoNormal"> </p><p class="MsoNormal">Danke</p><p class="MsoNormal"> </p><font color="#888888"><p class="MsoNormal">James</p></font></div>
</div><br>------------------------------------------------------------------------------<br>
Xperia(TM) PLAY<br>
It's a major breakthrough. An authentic gaming<br>
smartphone on the nation's most reliable network.<br>
And it wants your games.<br>
<a href="http://p.sf.net/sfu/verizon-sfdev" target="_blank">http://p.sf.net/sfu/verizon-sfdev</a><br>_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...4626...ceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users" target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br></blockquote></div><br></div>