alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; content:!"windowsupdate.com"; http_header; content:!"cyberlink.com"; http_header; content:!"lenovo.com"; http_header; content:!"itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.co.uk|0d 0a|"; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:34;)

Added 2017-03-20 19:16:54 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; content:!"windowsupdate.com"; http_header; content:!"cyberlink.com"; http_header; content:!"lenovo.com"; http_header; content:!"itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.co.uk|0d 0a|"; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:34;)

Added 2017-03-16 22:26:32 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; content:!"windowsupdate.com"; http_header; content:!"cyberlink.com"; http_header; content:!"lenovo.com"; http_header; content:!"itsupport247.net|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:33;)

Added 2017-01-04 17:01:20 UTC

We are getting FP to msn.co.uk. It should be also added to the list as mentioned before.

-- BenoitSevens - 2017-03-16

This will be fixed today, thanks!

-- DarienH - 2017-03-16


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; content:!"windowsupdate.com"; http_header; content:!"cyberlink.com"; http_header; content:!"lenovo.com"; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:32;)

Added 2015-12-04 17:45:19 UTC

This alert triggers often for various itsupport.net subdomains.

e.g. (1) dumps.itsupport247.net (2) xpwp.itsupport247.net (3) update.itsupport247.net (4) update1.itsupport247.net (5) wpmsupth.itsupport247.net

Suggest removing: content:!"rc.itsupport247.net|0d 0a|" and replacing with: content:!"itsupport247.net|0d 0a|"

I figure other folks may have the same issue and also could be other subdomains for itsupport247.net that I'm not seeing yet.

-- AmandaDeason - 2016-12-06

Hello. We also observing a huge number of FP for that rule. A lot of or clients are using software developed by Continuum Managed Services. Short information about company: Continuum is the IT management platform company that allows Managed IT Services Providers (MSPs) to maintain and back up on-premise and cloud-based servers, desktops, mobile devices and other endpoints for their small- and medium-sized business clients. We are a channel-exclusive provider of managed IT services, which means we succeed when our partners do. Our growth is YOUR growth.

They have several products (for support and management). This software often connects to different *.itsupport247.net remote resources.

Dear ET, please consider rule modification. Please look Amanda Deason suggestion above. content:!"itsupport247.net|0d 0a|";nocase; http_header;

-- MaksymParpaley - 2017-01-04

Thanks for the feedback, we'll get this fixed today!

-- DarienH - 2017-01-04


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:31;)

Added 2015-04-01 17:33:52 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:31;)

Added 2015-04-01 13:00:00 UTC

Excluded: "ultraedit.com"

-- JanHartmann - 2015-04-01

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:30;)

Added 2014-07-28 18:08:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; fast_pattern:11,25; http_header; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:29;)

Added 2012-01-18 17:58:28 UTC

Also needs msn.co.uk adding to defeats

-- MattNewham - 31 Dec 2012

Also needs content:!"liveupdate.gocyberlink.com|0d 0a|"; nocase; http_header; for PowerDVD? updates

-- ChriV - 2014-07-28

Thanks, an update for this will go out today!

-- DarienH - 2014-07-28


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"vmware.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:26;)

Added 2011-10-12 19:11:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"vmware.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; sid:2002400; rev:26;)

Added 2011-09-14 21:39:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"vmware.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:26;)

Added 2011-08-24 16:56:00 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)

Added 2011-05-02 14:42:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)

Added 2011-05-02 14:23:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)

Added 2011-05-02 14:04:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)

Added 2011-05-01 20:54:00 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)

Added 2011-04-29 17:39:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:24;)

Added 2011-02-04 17:21:49 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!"vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:21;)

Added 2010-03-01 14:15:48 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!"vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:21;)

Added 2010-03-01 14:15:48 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!"vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:20;)

Added 2009-12-22 14:30:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!"vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:20;)

Added 2009-12-22 14:30:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:19;)

Added 2009-10-19 09:15:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:19;)

Added 2009-10-19 09:15:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:17;)

Added 2009-09-29 15:45:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:17;)

Added 2009-09-29 15:45:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:16;)

Added 2009-02-09 21:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:16;)

Added 2009-02-09 21:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:16;)

Added 2009-02-09 21:29:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:16;)

Added 2009-02-09 21:29:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:15;)

Added 2008-12-02 16:30:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:15;)

Added 2008-12-02 16:30:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Microsoft Internet Explorer"; within:200; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:14;)

Added 2008-07-18 18:00:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Microsoft Internet Explorer"; within:200; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:14;)

Added 2008-07-18 18:00:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Microsoft Internet Explorer"; within:200; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:13;)

Added 2008-05-09 17:01:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Microsoft Internet Explorer"; within:200; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:13;)

Added 2008-05-09 17:01:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:12;)

Added 2008-01-28 17:24:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:12;)

Added 2008-01-28 17:24:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:10;)

Added 2007-11-05 00:46:05 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:10;)

Added 2007-11-05 00:46:05 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Suspicious User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:9;)



Topic revision: r10 - 2017-03-16 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats