Snort Rules: Ep.7 – Lokibot Infection Traffic

Question

I need help with the last question please. I tried so many rules and I am still getting it wrong

13-Create a Snort rule to detect this User-Agent string in the HTTP header for connections using port 49167, then submit the token.

Tried this one which to me it should be able to work.
alert tcp any any -> any 49167 (msg:"User-Agent match"; content:"Mozilla/4.08 (Charon; Inferno)"; sid:5000031;)

alert tcp any any -> any 49167 (msg:"User-Agent Mozilla/4.08 (Charon; Inferno) detected"; content:"User-Agent: Mozilla/4.08 (Charon; Inferno)"; http_header; sid:5000020;)

retornet · Accepted Answer

the port number should be the source instead of dst&nbsp;

Forum Discussion

Snort Rules: Ep.7 – Lokibot Infection Traffic

2 Replies

Featured Places

Help & Support Forum

Related Content

Re: SuperSonic: Ep.6 – TEMPLE

Re: Threat Hunting Mining Behaviour - Question 1

Re: The Human Connection Challenge: Season 1 Episode 6 Is Now Live!

Re: Cross-Site Scripting: Ep.6 – Further Exploitation

Understanding CVE-2024-21412: A Zero-Day Exploit Targeting Windows Users

Recent Discussions

Incident Response: P2 - stuck on Q11

Python: Expert Challenge 3

Haunted Hollow 2023: Haywire Host

CVE-2024-0012 and CVE-2024-9474 (Palo Alto PAN-OS) – Offensive Question

Kusto Query Language: Ep.9 – Parsing Complex Data Types.