alert http $HOME_NET any -> [!208.87.232.0/21,!216.115.208.0/20,!216.219.112.0/20,!66.151.158.0/24,!66.151.150.160/27,!66.151.115.128/26,!64.74.80.0/24,!202.173.24.0/21,!67.217.64.0/19,!78.108.112.0/20,!68.64.0.0/19,!206.183.100.0/22,!173.199.0.0/18,!103.15.16.0/22,!180.153.30.0/23,!140.207.108.0/23,!23.239.224.0/19,!185.36.20.0/22,!8.28.150.0/24,!54.208.0.0/15,!54.248.0.0/15,!70.42.29.0/27,!72.5.190.0/24,!104.129.194.0/24,!104.129.200.0/24,!199.168.148.0/24,!199.168.151.0/24,!216.52.207.64/26,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; content:!"/?rnd="; depth:6; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:trojan-activity; sid:2008974; rev:14; metadata:created_at 2010_07_30, updated_at 2017_01_24;)

Added 2017-08-07 21:02:07 UTC


alert http $HOME_NET any -> [!208.87.232.0/21,!216.115.208.0/20,!216.219.112.0/20,!66.151.158.0/24,!66.151.150.160/27,!66.151.115.128/26,!64.74.80.0/24,!202.173.24.0/21,!67.217.64.0/19,!78.108.112.0/20,!68.64.0.0/19,!206.183.100.0/22,!173.199.0.0/18,!103.15.16.0/22,!180.153.30.0/23,!140.207.108.0/23,!23.239.224.0/19,!185.36.20.0/22,!8.28.150.0/24,!54.208.0.0/15,!54.248.0.0/15,!70.42.29.0/27,!72.5.190.0/24,!104.129.194.0/24,!104.129.200.0/24,!199.168.148.0/24,!199.168.151.0/24,!216.52.207.64/26,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; content:!"/?rnd="; depth:6; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:trojan-activity; sid:2008974; rev:14;)

Added 2017-01-24 17:49:11 UTC

FP for Web Proxy Auto-Discovery Protocol

https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol

GET /wpad.dat HTTP/1.1 Host: wpad.XXXXX.com Connection: close Accept: / User-Agent: Mozilla/4.0 (compatible)

HTTP/1.1 200 OK Connection: close Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Content-Length: 210

Recommendation - negation for /wpad.dat should added to the rule

-- DenisI - 2017-04-27


alert http $HOME_NET any -> [!208.87.232.0/21,!216.115.208.0/20,!216.219.112.0/20,!66.151.158.0/24,!66.151.150.160/27,!66.151.115.128/26,!64.74.80.0/24,!202.173.24.0/21,!67.217.64.0/19,!78.108.112.0/20,!68.64.0.0/19,!206.183.100.0/22,!173.199.0.0/18,!103.15.16.0/22,!180.153.30.0/23,!140.207.108.0/23,!23.239.224.0/19,!185.36.20.0/22,!8.28.150.0/24,!54.208.0.0/15,!54.248.0.0/15,!70.42.29.0/27,!72.5.190.0/24,!104.129.194.0/24,!104.129.200.0/24,!199.168.148.0/24,!199.168.151.0/24,!216.52.207.64/26,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:trojan-activity; sid:2008974; rev:13;)

Added 2015-12-02 15:53:24 UTC

A False Positive is firing when clients with the n-able windows agent connect to the API: SolaWinds? N-Able is a system management application for Windows: http://www.n-able.com/ IP: 23.19.67.2/32 host: phxgw-mct01.mspa.n-able.com

{2017-01-16 16:08:02} 1 2008974 13 {ET MALWARE User-Agent (Mozilla/4.0 (compatible))} {2017-01-16 16:08:02} 1 trojan-activity 167971269 x.x.x.x 387138306 23.19.67.2 ...

Src IP: x.x.x.x Dst IP: 23.19.67.2 (phxgw-mct01.mspa.n-able.com) Src Port: 57769 Dst Port: 80 OS Fingerprint: x.x.x.x:57769 - Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC] OS Fingerprint: Signature: [8192:127:1:52:M1437,N,W8,N,N,S:.:Windows:?] OS Fingerprint: -> 23.19.67.2:80 (distance 1, link: unknown-1477)

SRC: POST /?rnd=20170116092452939 HTTP/1.0 SRC: Connection: Keep-Alive SRC: Content-Type: multipart/form-data; boundary=---------------------------01162017092452 SRC: Content-Length: 144 SRC: Cache-control: No-Cache SRC: Pragma: No-Cache SRC: Proxy-Connection: Keep-Alive SRC: Host: 23.19.67.2 SRC: Accept: text/html, / SRC: User-Agent: Mozilla/4.0 (compatible) SRC: SRC: SRC: -----------------------------01162017092452 SRC: Content-Disposition: form-data; name="CMD" SRC: SRC: PING SRC: -----------------------------01162017092452-- SRC: DST: HTTP/1.1 200 OK DST: Content-Type: text/html; charset=utf-8 DST: Content-Length: 4 DST: Connection: Keep-Alive DST: DST: ....

-- AaronFosdick - 2017-01-16

Hello. We have the same issue. We see a big number of FP. Please consider rule modification. As a variant consider negation of /?rnd

We have thousands of FP.

http://216.230.226.219/?rnd=xxxxxxxxxx (iahgw-mcu01.mspa.n-able.com) http://66.187.72.178/?rnd=xxxxxxxxxxx (iahgw-mct02.mspa.n-able.com) http://108.168.178.52/?rnd=xxxxxx (iadgw-mct01.mspa.n-able.com) http://173.193.195.144/?rnd=xxxxxxxxx (iadgw-mct02.mspa.n-able.com) and so on

Full PCAP for one event:

POST /?rnd=xxxxxxxxx HTTP/1.0

Connection: Keep-Alive

Content-Type: multipart/form-data; boundary=---------------------------xxxxxxxxxx

Content-Length: 144

Cache-control: No-Cache

Pragma: No-Cache

Proxy-Connection: Keep-Alive

Host: 216.230.226.219

Accept: text/html, /

User-Agent: Mozilla/4.0 (compatible)


xxxxxxxxxxx

Content-Disposition: form-data; name="CMD"

PING


xxxxxxxxxxx--

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Content-Length: 4

Connection: Keep-Alive

....

-- MaksymParpaley - 2017-01-19

Dear ET please modify the rule. To many FP

-- MaksymParpaley - 2017-01-24

Sorry for the delay, this will be fixed today! Thank you for all the reports you have been sending!

-- DarienH - 2017-01-24


alert http $HOME_NET any -> [!216.115.208.0/20,!216.219.112.0/20,!66.151.158.0/24,!66.151.150.160/27,!66.151.115.128/26,!64.74.80.0/24,!202.173.24.0/21,!67.217.64.0/19,!78.108.112.0/20,!68.64.0.0/19,!206.183.100.0/22,!173.199.0.0/18,!103.15.16.0/22,!180.153.30.0/23,!140.207.108.0/23,!23.239.224.0/19,!185.36.20.0/22,!8.28.150.0/24,!54.208.0.0/15,!54.248.0.0/15,!70.42.29.0/27,!72.5.190.0/24,!104.129.194.0/24,!104.129.200.0/24,!199.168.148.0/24,!199.168.151.0/24,!216.52.207.64/26,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:trojan-activity; sid:2008974; rev:12;)

Added 2015-06-29 17:03:36 UTC


alert http $HOME_NET any -> [!216.115.208.0/20,!216.219.112.0/20,!66.151.158.0/24,!66.151.150.160/27,!66.151.115.128/26,!64.74.80.0/24,!202.173.24.0/21,!67.217.64.0/19,!78.108.112.0/20,!68.64.0.0/19,!206.183.100.0/22,!173.199.0.0/18,!103.15.16.0/22,!180.153.30.0/23,!140.207.108.0/23,!23.239.224.0/19,!185.36.20.0/22,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:trojan-activity; sid:2008974; rev:11;)

Added 2015-03-05 19:48:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|"; fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:trojan-activity; sid:2008974; rev:9;)

Added 2014-04-01 19:37:33 UTC

Falsing when connecting to something at gotomeeting.com: "payload_printable": "CONNECT 216.115.208.199:443 HTTP/1.1\r\nHost: 216.115.208.199:443\r\nProxy-Connection: Keep-Alive\r\nUser-Agent: Mozilla/4.0 (compatible)\r\n\r\n" Can we ignore the citrixonline network range?

-- StefanLambrev - 2015-03-04

Update going out today for this with negations from this list: https://support.citrixonline.com/en_us/meeting/all_files/G2M060010

-- DarienH - 2015-03-04


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|"; fast_pattern:18,20; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:trojan-activity; sid:2008974; rev:8;)

Added 2011-12-15 18:09:39 UTC

Mozilla FireFox? 19.0 installed whereas it is detected as version Mozilla 4.0. PCAP and payload attached.

-- AnshumanDeshmukh - 2013-10-28


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (User-Agent Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|"; fast_pattern:18,20; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:trojan-activity; sid:2008974; rev:8;)

Added 2011-10-12 19:26:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (User-Agent Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|"; fast_pattern:18,20; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; sid:2008974; rev:8;)

Added 2011-09-14 22:39:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (User-Agent Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|"; fast_pattern:18,20; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008974; rev:8;)

Added 2011-02-04 17:28:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible))"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008974; rev:4;)

Added 2009-10-19 09:15:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible))"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008974; rev:4;)

Added 2009-10-19 09:15:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible))"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2008974; rev:2;)

Added 2009-02-09 22:46:17 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible))"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible)|0d 0a|"; classtype:trojan-activity; sid:2008974; rev:1;)

Added 2009-01-04 08:00:23 UTC


Topic revision: r9 - 2017-04-27 - DenisI
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats