alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TeamViewer? Dyngate User-Agent"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| DynGate?)"; http_user_agent; fast_pattern:25,17; depth:43; threshold: type limit, count 1, seconds 120, track by_src; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; classtype:policy-violation; sid:2009475; rev:11;)

Added 2015-10-09 18:45:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TeamViewer? Dyngate User-Agent"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| DynGate?)"; http_header; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; classtype:policy-violation; sid:2009475; rev:6;)

Added 2011-10-12 19:27:27 UTC

How about adding a rate limiting like SID 2008795?

threshold: type limit, count 1, seconds 120, track by_src;

-- AndreaDePasquale - 2015-10-09


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TeamViewer? Dyngate User-Agent"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| DynGate?)"; http_header; classtype:policy-violation; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; sid:2009475; rev:6;)

Added 2011-09-14 22:40:49 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TeamViewer? Dyngate User-Agent"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| DynGate?)"; http_header; classtype:policy-violation; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Dyngate; sid:2009475; rev:6;)

Added 2011-02-04 17:28:49 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TeamViewer? Dyngate User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; DynGate?)"; classtype:policy-violation; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Dyngate; sid:2009475; rev:3;)

Added 2009-07-01 21:30:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TeamViewer? Dyngate User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; DynGate?)"; classtype:policy-violation; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Dyngate; sid:2009475; rev:3;)

Added 2009-07-01 21:30:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TeamViewer? Dyngate User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; DynGate?)"; classtype:policy-violation; nocase; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Dyngate; sid:2009475; rev:2;)

Added 2009-07-01 20:03:01 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TeamViewer? Dyngate User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; DynGate?)"; classtype:policy-violation; nocase; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Dyngate; sid:2009475; rev:2;)

Added 2009-07-01 20:03:01 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TeamViewer? Dyngate User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; DynGate?)"; classtype:policy-violation; nocase; reference:url,www.teamviewer.com/index.aspx; sid:2009475; rev:1;)

Added 2009-06-30 13:00:36 UTC


Topic revision: r2 - 2015-10-09 - AndreaDePasquale
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats