Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Suricata rule - VPNFilter User Agent
alert http any any -> any any (msg:"VPNFilter malware User-Agent"; content:"Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)"; http_user_agent; sid:2; rev:1;)
@klingerko

This comment has been minimized.

Copy link

@klingerko klingerko commented Jun 1, 2018

escape semicolons inside contents

alert http any any -> any any (msg:"VPNFilter malware User-Agent"; content:"Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)"; http_user_agent; sid:2; rev:1;)

@Neo23x0

This comment has been minimized.

Copy link
Owner Author

@Neo23x0 Neo23x0 commented Jun 7, 2018

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment