alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"User-Agent|3a| MSIE"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; classtype:trojan-activity; sid:2003657; rev:12;)

Added 2011-10-12 19:13:52 UTC

FP for Dynasign Player System http://www.dynasign.net/ds4/index.php

PCAP in attachment

-- DenisI - 2017-05-15


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"User-Agent|3a| MSIE"; http_header; threshold: type limit, count 2, track by_src, seconds 300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; sid:2003657; rev:12;)

Added 2011-09-14 22:26:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"User-Agent|3a| MSIE"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003657; rev:11;)

Added 2011-02-04 17:22:37 UTC

GET /mercurywelcome.php HTTP/1.1
User-Agent: MSIE 5.0 (compatible; Windows NT)
Host: newtours.demoaut.com
Connection: Keep-Alive
Cookie: CF0A110A38=1AD88ACAC!QVBPTVVBccHFzbWl0aDphcG9sbG860NZ6rgEYiLIWa5s9Q==;
osCsid=f4af7e772b0f5abaa079f8f2d9

This appears to be related to what I'm guessing is an HP/Mercury tool
interfacing with the "QTP Tutorial site" at newtours.demoaut.com. If
I'm not mistaken I believe this is an application in the tool suite
that is stupidly spoofing this UAS when communicating with the site.
There's references to the tie-ins at
http://h30434.www3.hp.com/t5/Desktop-Operating-systems-and/QTP-Tutorial-Site-Problem/m-p/59541.

-- MattJonkman - 08 Apr 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: MSIE"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003657; rev:7;)

Added 2009-10-19 09:15:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: MSIE"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003657; rev:7;)

Added 2009-10-19 09:15:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: MSIE"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003657; rev:5;)

Added 2009-02-09 21:30:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: MSIE"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003657; rev:5;)

Added 2009-02-09 21:30:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: MSIE"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003657; rev:5;)

Added 2009-02-09 21:29:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: MSIE"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003657; rev:5;)

Added 2009-02-09 21:29:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: MSIE"; classtype:trojan-activity; sid:2003657; rev:4;)

Added 2008-05-23 00:11:05 UTC



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ibankis.org related Spyware User-Agent (MSIE)"; flow:to_server,established; content:"User-Agent\: MSIE"; classtype:trojan-activity; sid:2003657; rev:3;)

Added 2008-05-19 21:14:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ibankis.org related Spyware User-Agent (MSIE 5.3 (xpsp2-xxx))"; flow:to_server,established; content:"User-Agent\: MSIE "; content:"xpsp"; nocase; within:20; classtype:trojan-activity; sid:2003657; rev:2;)

Added 2008-01-28 17:24:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Ibankis.org related Spyware User-Agent (MSIE 5.3 (xpsp2-xxx))"; flow:to_server,established; content:"User-Agent\: MSIE "; content:"xpsp"; nocase; within:20; classtype:trojan-activity; sid:2003657; rev:1;)

Added 2007-05-10 22:30:19 UTC


Topic attachments
I Attachment Action Size Date Who Comment
Unknown file formatPNG player.dynasign.net.PNG manage 16.8 K 2017-05-15 - 12:35 DenisI  
Topic revision: r5 - 2017-05-15 - DenisI
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats