EmergingThreats> Main Web>2010908 (revision 3)EditAttach

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; reference:url,doc.emergingthreats.net/2010908; classtype:trojan-activity; sid:2010908; rev:6;)

Added 2011-12-15 18:09:45 UTC

This declares an alert when a malicious GET is sent, regardless of what happens after that. So this is a false positive if you use it on anything intentionally exposed to the public internet (because just because the bad guys sent me a horked User-Agent doesn't mean further bad things happened.)

-- RodneyThayer - 2014-06-18

This rule will actually work on POST/HEAD/etc requests as well, and you are correct that seeing this does not necessarily mean all traffic from the external client is malicious. We do see a lot of malicious content utilizing this UA though, which is why this rule exists. If you are seeing a lot of false positives with the same or similar type of traffic feel free to post a pcap here or send to dhuss -at- emergingthreats -dot- net and we can take a look to see if this needs modified!

-- DarienH - 2014-06-18


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent Inbound Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; reference:url,doc.emergingthreats.net/2010908; classtype:trojan-activity; sid:2010908; rev:6;)

Added 2011-10-12 19:30:52 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent Inbound Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010908; sid:2010908; rev:6;)

Added 2011-04-26 18:47:17 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent Inbound - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; classtype:trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; reference:url,doc.emergingthreats.net/2010908; sid:2010908; rev:5;)

Added 2011-02-04 17:30:35 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent Inbound - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/5.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; reference:url,doc.emergingthreats.net/2010908; sid:2010908; rev:2;)

Added 2010-03-08 23:15:50 UTC


Edit | Attach | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r3 - 2014-06-18 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats