EmergingThreats> Main Web>2003179 (revision 2)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY exe download without User Agent"; flow:established,to_server; uricontent:".exe"; nocase; content:".exe"; depth:150; nocase; content:"GET "; nocase; depth:4; offset:0; content:!"User-Agent\:"; content:!"download.windowsupdate.com"; content:!"mms\://"; nocase; classtype:policy-violation; sid:2003179; rev:3;)

Added 2007-04-19 09:00:25 UTC

Added the get match to make sure this is in the first packet of the stream.

-- MattJonkman - 19 Apr 2007


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY exe download without User Agent"; flow:established,to_server; uricontent:".exe"; nocase; content:".exe"; depth:150; nocase; content:!"User-Agent\:"; content:!"download.windowsupdate.com"; content:!"mms\://"; nocase; classtype:policy-violation; sid:2003179; rev:2;)



Edit | Attach | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2007-04-19 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats