Neo23x0/vpnfilter-ua.rule

Last active May 19, 2019 03:14

Star 1 You must be signed in to star a gist
Fork 1 You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/Neo23x0/00bc2b883c530f7a12b055549e9076ff.js"></script>
Save Neo23x0/00bc2b883c530f7a12b055549e9076ff to your computer and use it in GitHub Desktop.

Download ZIP

Suricata rule - VPNFilter User Agent

Raw

vpnfilter-ua.rule

alert http any any -> any any (msg:"VPNFilter malware User-Agent"; content:"Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)"; http_user_agent; sid:2; rev:1;)

klingerko commented Jun 1, 2018 •

edited

escape semicolons inside contents

alert http any any -> any any (msg:"VPNFilter malware User-Agent"; content:"Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)"; http_user_agent; sid:2; rev:1;)

Author

Neo23x0 commented Jun 7, 2018

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment