alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header; content:!"BlackBerry|3b|"; http_header; content:!"PlayBook|3b|"; http_header; content:!"masterconn.qq.com"; http_header; content:!"Konfabulator"; http_header; content:!"QQPCMgr"; http_header; content:!"QQPCMgr"; http_header; classtype:trojan-activity; sid:2011800; rev:10;)

Added 2014-04-14 19:22:50 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header; content:!"BlackBerry|3b|"; http_header; content:!"PlayBook|3b|"; http_header; content:!"masterconn.qq.com"; http_header; content:!"Konfabulator"; http_header; classtype:trojan-activity; sid:2011800; rev:8;)

Added 2012-12-07 19:21:01 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header; content:!"BlackBerry|3b|"; http_header; content:!"PlayBook|3b|"; http_header; content:!"master conn.qq.com"; http_header; content:!"Konfabulator"; http_header; classtype:trojan-activity; sid:2011800; rev:7;)

Added 2011-10-12 19:32:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header; content:!"BlackBerry|3b|"; http_header; content:!"PlayBook|3b|"; http_header; content:!"master conn.qq.com"; http_header; content:!"Konfabulator"; http_header; classtype:trojan-activity; sid:2011800; rev:7;)

Added 2011-09-12 16:16:06 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Potential Avzhan DDOS Bot or abnormal User-Agent"; flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header; content:!"BlackBerry|3b|"; http_header; content:!"PlayBook|3b|"; http_header; content:!"Konfabulator"; http_header; classtype:trojan-activity; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan; sid:2011800; rev:6;)

Added 2011-07-06 18:04:01 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Potential Avzhan DDOS Bot or abnormal User-Agent"; flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header; content:!"BlackBerry|3b|"; http_header; content:!"PlayBook|3b|"; http_header; classtype:trojan-activity; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan; sid:2011800; rev:5;)

Added 2011-04-28 19:56:36 UTC

Triggers FP on "Konfabulator" widgets.

User-Agent:Mozilla[..]Konfabulator/5.5.0

-- CeesElzinga - 06 Jul 2011

Odd that they don't put a space in their UA. We could exclude though. Will post that now!

-- MattJonkman - 06 Jul 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Potential Avzhan DDOS Bot or abnormal User-Agent"; flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header; content:!"BlackBerry|3b|"; http_header; classtype:trojan-activity; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan; sid:2011800; rev:4;)

Added 2011-02-04 17:31:34 UTC


Topic revision: r3 - 2011-07-06 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats