[Emerging-Sigs] IP check sig

Francis Trudeau trudeauf at gmail.com
Wed Apr 15 13:58:47 HDT 2020


Ran into this in my travels:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (ip.
jsontest .com)"; flow:to_server,established; urilen:1; content:"
ip.jsontest.com"; http_host; depth:15; isdataat:!1,relative; fast_pattern;
classtype:policy-violation; sid:30303; rev:1;)

Please don't holler at me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200415/41fd94c3/attachment.html>


More information about the Emerging-sigs mailing list