Forum Discussion

retornet's avatar
retornet
Icon for Bronze III rankBronze III
21 days ago
Solved

Snort Rules: Ep.7 – Lokibot Infection Traffic

I need help with the last question please. I tried so many rules and I am still getting it wrong

13-Create a Snort rule to detect this User-Agent string in the HTTP header for connections using port 49167, then submit the token.

Tried this one which to me it should be able to work. 
alert tcp any any -> any 49167 (msg:"User-Agent match"; content:"Mozilla/4.08 (Charon; Inferno)"; sid:5000031;)

alert tcp any any -> any 49167 (msg:"User-Agent Mozilla/4.08 (Charon; Inferno) detected"; content:"User-Agent: Mozilla/4.08 (Charon; Inferno)"; http_header; sid:5000020;)

2 Replies