alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (My Session)"; flow:to_server,established; content:"User-Agent|3a| My Session"; nocase; http_header; content:!".windows.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010677; classtype:trojan-activity; sid:2010677; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_02_17;)

Added 2017-08-07 21:03:48 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (My Session)"; flow:to_server,established; content:"User-Agent|3a| My Session"; nocase; http_header; content:!".windows.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010677; classtype:trojan-activity; sid:2010677; rev:7;)

Added 2017-02-17 17:23:48 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (My Session)"; flow:to_server,established; content:"User-Agent|3a| My Session"; nocase; http_header; reference:url,doc.emergingthreats.net/2010677; classtype:trojan-activity; sid:2010677; rev:5;)

Added 2012-04-11 08:23:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware google-analitid181.com related User-Agent (My Session)"; flow:to_server,established; content:"User-Agent|3a| My Session"; nocase; http_header; reference:url,doc.emergingthreats.net/2010677; classtype:trojan-activity; sid:2010677; rev:4;)

Added 2011-12-15 18:09:44 UTC

FP on samsungmobile updates:
SRC: GET /BUWebServiceProc.asmx/GetContents?platformID=HX%26PartNumber%3dAAAA HTTP/1.1
SRC: User-Agent: My Session
SRC: Host: sbuservice.samsungmobile.com
SRC: Cache-Control: no-cache
SRC: 
SRC: 
DST: HTTP/1.0 200 OK
DST: Date: Tue%2c 10 Apr 2012 08:53:51 GMT
DST: Server: Microsoft-IIS/6.0
DST: X-Powered-By: ASP.NET
DST: X-AspNet-Version: 2.0.50727
DST: Cache-Control: private%2c max-age%3d0
DST: Content-Type: text/xml%3b charset%3dutf-8
DST: Content-Length: 494
DST: X-Cache: MISS from localhost
DST: X-Cache-Lookup: MISS from localhost:3128
DST: Via: ICAP/1.0 shorewall (C-ICAP/0.1.6 Clamav/Antivirus service )%2c 1.0 localhost (squid/3.1.6)
DST: Connection: close
DST: 
DST: %3c%3fxml version%3d%221.0

-- StephaneChazelas - 10 Apr 2012

Thanks Stephane. I'll adjust the msg, perhaps move to policy.

-- MattJonkman - 10 Apr 2012


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spyware google-analitid181.com related user agent (My Session)"; flow:to_server,established; content:"User-Agent|3a| My Session"; nocase; http_header; reference:url,doc.emergingthreats.net/2010677; classtype:trojan-activity; sid:2010677; rev:4;)

Added 2011-10-12 19:30:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spyware google-analitid181.com related user agent (My Session)"; flow:to_server,established; content:"User-Agent|3a| My Session"; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010677; sid:2010677; rev:4;)

Added 2011-09-14 22:43:30 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spyware google-analitid181.com related user agent (My Session)"; flow:to_server,established; content:"User-Agent|3a| My Session"; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MySession; sid:2010677; rev:4;)

Added 2011-02-04 17:30:17 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spyware google-analitid181.com related user agent (My Session)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| My Session"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MySession; sid:2010677; rev:3;)

Added 2010-07-29 22:05:01 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spyware google-analitid181.com related user agent (My Session)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| My Session"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MySession; sid:2010677; rev:3;)

Added 2010-07-29 22:05:01 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spyware google-analitid181.com related user agent (My Session)"; flow:to_server,established; content:"|0d 0a|User-Agent\: My Session"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MySession; sid:2010677; rev:2;)

Added 2010-01-19 10:15:58 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spyware google-analitid181.com related user agent (My Session)"; flow:to_server,established; content:"|0d 0a|User-Agent\: My Session"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MySession; sid:2010677; rev:2;)

Added 2010-01-19 10:15:58 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spyware google-analitid181.com related user agent (My Session)"; flow:to_server,established; content:"|0d 0a|User-Agent\: My Session"; nocase; classtype:trojan-activity; sid:2010677; rev:1;)

Added 2010-01-17 23:59:13 UTC


Topic revision: r3 - 2012-04-10 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats