[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] HTTP PUT to Akamai with rswin_3725.dll User-Agent
From: wkitty42 () windstream ! net (waldo kitty)
Date: 2010-07-28 18:51:15
Message-ID: 4C507C23.2030501 () windstream ! net
[Download RAW message or body]
On 7/28/2010 13:48, Matt Jonkman wrote:
> How about:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Akamai Redswoosh CLIOnlineManager Connection Detected";
> flow:established,to_server; content:"PUT "; depth:4; nocase;
> content:"|0d 0a|User-Agent\:"; content:"rswin_3725.dll"; within:30;
> nocase; classtype:policy-violation; sid:62000013; rev:1;)
>
> Skip the pcre, and limit to PUTs. Any objections?
absolutely skip the pcre's whenever possible :)
looks ok to me, too... not that that really means a whole lot :P
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic