Forum Discussion
retornet
Bronze III
21 days agoSnort Rules: Ep.7 – Lokibot Infection Traffic
I need help with the last question please. I tried so many rules and I am still getting it wrong
13-Create a Snort rule to detect this User-Agent string in the HTTP header for connections using port 49167, then submit the token.
Tried this one which to me it should be able to work.
alert tcp any any -> any 49167 (msg:"User-Agent match"; content:"Mozilla/4.08 (Charon; Inferno)"; sid:5000031;)
alert tcp any any -> any 49167 (msg:"User-Agent Mozilla/4.08 (Charon; Inferno) detected"; content:"User-Agent: Mozilla/4.08 (Charon; Inferno)"; http_header; sid:5000020;)
the port number should be the source instead of dst