#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; content:!"|0d 0a|Host|3a| download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; reference:url,doc.emergingthreats.net/2009295; classtype:trojan-activity; sid:2009295; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:02:26 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; content:!"|0d 0a|Host|3a| download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; reference:url,doc.emergingthreats.net/2009295; classtype:trojan-activity; sid:2009295; rev:9;)

Added 2015-12-01 16:40:21 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; content:!"|0d 0a|Host|3a| download.releasenotes.nokia.com"; http_header; content:!"Mozilla/5.0|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009295; classtype:trojan-activity; sid:2009295; rev:12;)

Added 2011-10-12 19:27:03 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; content:!"|0d 0a|Host|3a| download.releasenotes.nokia.com"; http_header; content:!"Mozilla/5.0|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009295; sid:2009295; rev:12;)

Added 2011-08-26 21:55:29 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; content:!"|0d 0a|Host|3a| download.releasenotes.nokia.com"; http_header; content:!"Mozilla/5.0|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009295; sid:2009295; rev:12;)

Added 2011-04-26 18:47:15 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; content:!"|0d 0a|Host|3a| download.releasenotes.nokia.com"; http_header; content:!"Mozilla/5.0|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; sid:2009295; rev:11;)

Added 2011-02-04 17:28:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/5.0|0d 0a|"; nocase; content:!"|0d 0a|Host\: download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection\: Close|0d 0a 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; sid:2009295; rev:7;)

Added 2010-06-28 22:47:02 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/5.0|0d 0a|"; nocase; content:!"|0d 0a|Host\: download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection\: Close|0d 0a 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; sid:2009295; rev:7;)

Added 2010-06-28 22:47:02 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/5.0|0d 0a|"; nocase; uricontent:!"|0d 0a|Host\: download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection\: Close|0d 0a 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; sid:2009295; rev:6;)

Added 2010-02-03 10:46:57 UTC

Just a heads up, I am seeing the Arora/0.10.1 web browser alert SID 2009295 when you type in the built-in Google search field and it fetches suggested queries. Example:

GET /complete/search?json=t&hl=en-US&q=lulz+catcher&nolabels=t HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: Mozilla/5.0
Host: suggestqueries.google.com

-- MattJonkman - 22 May 2010



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/5.0|0d 0a|"; nocase; content: ! "Mozilla/5.0|0d 0a|Connection\: Close|0d 0a 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; sid:2009295; rev:5;)

Added 2009-12-07 10:30:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/5.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; sid:2009295; rev:4;)

Added 2009-10-19 09:15:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/5.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2009295; rev:1;)

Added 2009-04-23 16:45:34 UTC


Topic revision: r2 - 2010-05-22 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats