Snort Rules: Ep.7 – Lokibot Infection Traffic

Question

I need help with the last question please. I tried so many rules and I am still getting it wrong

13-Create a Snort rule to detect this User-Agent string in the HTTP header for connections using port 49167, then submit the token.

Tried this one which to me it should be able to work.
alert tcp any any -> any 49167 (msg:"User-Agent match"; content:"Mozilla/4.08 (Charon; Inferno)"; sid:5000031;)

alert tcp any any -> any 49167 (msg:"User-Agent Mozilla/4.08 (Charon; Inferno) detected"; content:"User-Agent: Mozilla/4.08 (Charon; Inferno)"; http_header; sid:5000020;)

retornet · Accepted Answer

the port number should be the source instead of dst&nbsp;

Forum Discussion

Snort Rules: Ep.7 – Lokibot Infection Traffic

2 Replies

Featured Places

Help & Support Forum

Related Content

Re: SuperSonic: Ep.6 – TEMPLE

Re: Threat Hunting Mining Behaviour - Question 1

Re: The Human Connection Challenge: Season 1 Episode 6 Is Now Live!

Re: Cross-Site Scripting: Ep.6 – Further Exploitation

Understanding CVE-2024-21412: A Zero-Day Exploit Targeting Windows Users

Recent Discussions

Advanced CTF Challenge: Hardened Maze

"You are not licensed to view this lab"

Serial Maze Support Group

Advanced CTF Challenge: Inner Maze

Unable to access Developer tools in the lab