alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Save)"; flow:to_server,established; content:"User-Agent|3a| Save|0d 0a|"; http_header; reference:url,poweredbysave.com; classtype:trojan-activity; sid:2011120; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:04:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Save)"; flow:to_server,established; content:"User-Agent|3a| Save|0d 0a|"; http_header; reference:url,poweredbysave.com; classtype:trojan-activity; sid:2011120; rev:8;)

Added 2013-02-15 23:11:02 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Save)"; flow:to_server,established; content:"User-Agent|3a| Save"; http_header; reference:url,doc.emergingthreats.net/2011120; classtype:trojan-activity; sid:2011120; rev:7;)

Added 2011-12-15 18:09:46 UTC

False positive will fire on----

Host: data.flurry.com
Accept-Encoding: gzip, deflate
Content-Type: application/octet-stream
Content-Length: 273
Accept-Language: en-us
Accept: */*
Connection: keep-alive
User-Agent: Save2CloudDrive/1.0.1305513879 CFNetwork/609.1.4 Darwin/13.0.0

-- JosephCooper - 14 Feb 2013

Got it, thanks Joseph. Will adjust the sig.

-- MattJonkman - 15 Feb 2013


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Save"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| Save"; http_header; reference:url,doc.emergingthreats.net/2011120; classtype:trojan-activity; sid:2011120; rev:5;)

Added 2011-10-12 19:31:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Save"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| Save"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011120; sid:2011120; rev:5;)

Added 2011-09-14 22:44:33 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Save"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| Save"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011120; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Save.com; sid:2011120; rev:5;)

Added 2011-02-04 17:30:52 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Save";flow:to_server,established; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: Save"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011120; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Save.com; sid:2011120; rev:2;)

Added 2010-05-16 15:45:58 UTC


Topic revision: r3 - 2013-02-15 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats