#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| "; http_header; content:!")|0d 0a|"; within:100; http_header; pcre:"/\(compatible[^\)]+\n/"; reference:url,doc.emergingthreats.net/2010906; classtype:bad-unknown; sid:2010906; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:04:03 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| "; fast_pattern:16,20; http_header; content:!")|0d 0a|"; within:100; http_header; pcre:"/User-Agent\x3a\sMozilla\/4\.0\s\(compatible[^\)]+\r\n/H"; reference:url,doc.emergingthreats.net/2010906; classtype:bad-unknown; sid:2010906; rev:9;)

Added 2011-10-19 18:51:45 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| "; fast_pattern:16,20; content:!")|0d 0a|"; distance:0; pcre:"/^User-Agent\x3a\sMozilla\/4\.0\s\(compatible[^\)]+\r\n/smiH"; reference:url,doc.emergingthreats.net/2010906; classtype:bad-unknown; sid:2010906; rev:7;)

Added 2011-10-12 19:30:52 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| "; fast_pattern:16,20; content:!")|0d 0a|"; distance:0; pcre:"/^User-Agent\x3a\sMozilla\/4\.0\s\(compatible[^\)]+\r\n/smiH"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2010906; sid:2010906; rev:7;)

Added 2011-09-14 22:44:01 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| "; fast_pattern:16,20; content:!")|0d 0a|"; distance:0; pcre:"/^User-Agent\x3a\sMozilla\/4\.0\s\(compatible[^\)]+\r\n/smiH"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2010906; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010906; rev:7;)

Added 2011-02-04 17:30:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible|3b| "; content:!")|0d 0a|"; distance:0; pcre:"/\(compatible[^\)]+\n/"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2010906; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010906; rev:2;)

Added 2010-03-08 23:15:50 UTC

POST /whatsnew/whatsnewservice.asmx HTTP/1.1
Accept: text/*
Content-Type: text/xml; charset=utf-8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.4; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729;
Host: sup.live.com
Content-Length: 1331
Connection: Keep-Alive
Cache-Control: no-cache

-- JackPepper - 24 Mar 2010

Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.

-- KevinBranch - 02 Jun 2010

I see lots of these from otherwise healthy-looking systems. It appears to be related to conduit.com's Desktop Alerts service.

POST /Alerts/AlertServices.asmx/AlertLogin HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; 
Trident/4.0; GTB6.4; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; Community Alerts 1.0.19.0
Accept: */*
Accept-Encoding: gzip, deflate
Host: alert.services.conduit.com
Content-Length: 346
Connection: Keep-Alive
Cache-Control: no-cache

-- KevinBranch - 02 Jun 2010


Topic revision: r3 - 2010-06-02 - KevinBranch
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats