[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] HTTP PUT to Akamai	with	rswin_3725.dll	User-Agent
From:       wkitty42 () windstream ! net (waldo kitty)
Date:       2010-07-28 18:51:15
Message-ID: 4C507C23.2030501 () windstream ! net
[Download RAW message or body]

On 7/28/2010 13:48, Matt Jonkman wrote:
> How about:
>
> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Akamai Redswoosh CLIOnlineManager Connection Detected";
> flow:established,to_server; content:"PUT "; depth:4; nocase;
> content:"|0d 0a|User-Agent\:"; content:"rswin_3725.dll"; within:30;
> nocase; classtype:policy-violation; sid:62000013; rev:1;)
>
> Skip the pcre, and limit to PUTs. Any objections?

absolutely skip the pcre's whenever possible :)

looks ok to me, too... not that that really means a whole lot :P

[prev in list] [next in list] [prev in thread] [next in thread]