alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent HTTPGET"; flow:established,to_server; content:"HTTPGET"; depth:7; http_user_agent; content:!"autodesk.com|0d 0a|"; http_header; content:!"rsa.com"; http_header; content:!"consumersentinel.gov"; http_header; content:!"technet.microsoft.com"; http_header; content:!"metropolis.com"; http_header; content:!"www.catalog.update.microsoft.com|0d|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013508; rev:11; metadata:created_at 2011_08_31, updated_at 2017_10_30;)

Added 2017-10-30 18:17:41 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent HTTPGET"; flow:established,to_server; content:"HTTPGET"; depth:7; http_user_agent; content:!"autodesk.com|0d 0a|"; http_header; content:!"rsa.com"; http_header; content:!"consumersentinel.gov"; http_header; content:!"technet.microsoft.com"; http_header; content:!"metropolis.com"; http_header; content:!"www.catalog.update.microsoft.com|0d|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013508; rev:11; metadata:created_at 2011_08_31, updated_at 2017_10_30;)

Added 2017-10-30 16:39:49 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader User-Agent HTTPGET"; flow:established,to_server; content:"HTTPGET"; depth:7; http_user_agent; content:!"autodesk.com|0d 0a|"; http_header; content:!"rsa.com"; http_header; content:!"consumersentinel.gov"; http_header; content:!"technet.microsoft.com"; http_header; content:!"metropolis.com"; http_header; content:!"www.catalog.update.microsoft.com|0d|"; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013508; rev:10; metadata:created_at 2011_08_31, updated_at 2017_10_25;)

Added 2017-10-25 16:14:21 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader User-Agent HTTPGET"; flow:established,to_server; content:"HTTPGET"; depth:7; http_user_agent; content:!"autodesk.com|0d 0a|"; http_header; content:!"rsa.com"; http_header; content:!"consumersentinel.gov"; http_header; content:!"technet.microsoft.com"; http_header; content:!"metropolis.com"; http_header; classtype:trojan-activity; sid:2013508; rev:9; metadata:created_at 2011_08_31, updated_at 2016_11_28;)

Added 2017-08-07 21:06:49 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader User-Agent HTTPGET"; flow:established,to_server; content:"HTTPGET"; depth:7; http_user_agent; content:!"autodesk.com|0d 0a|"; http_header; content:!"rsa.com"; http_header; content:!"consumersentinel.gov"; http_header; content:!"technet.microsoft.com"; http_header; content:!"metropolis.com"; http_header; classtype:trojan-activity; sid:2013508; rev:9;)

Added 2017-07-17 16:48:02 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader User-Agent HTTPGET"; flow:established,to_server; content:"HTTPGET"; depth:7; http_user_agent; content:!"autodesk.com|0d 0a|"; http_header; content:!"rsa.com"; http_header; content:!"consumersentinel.gov"; http_header; content:!"technet.microsoft.com"; http_header; classtype:trojan-activity; sid:2013508; rev:8;)

Added 2016-11-28 18:57:54 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader User-Agent HTTPGET"; flow:established,to_server; content:"HTTPGET"; depth:7; http_user_agent; content:!"autodesk.com|0d 0a|"; http_header; content:!"rsa.com"; http_header; content:!"consumersentinel.gov"; http_header; classtype:trojan-activity; sid:2013508; rev:6;)

Added 2014-07-28 18:08:35 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader User-Agent HTTPGET"; flow:established,to_server; content:"User-Agent|3A 20|HTTPGET"; http_header; content:"User-Agent|3A 20|HTTPGET"; http_header; content:!"autodesk.com|0d 0a|"; http_header; content:!"autodesk.com; http_header; content:!"www.rsa.com"; http_header; content:!"news.consumersentinel.gov"; http_header; classtype:trojan-activity; sid:2013508; rev:5;)


-- MichaelMenefee - 2014-07-24

RSA toolbar with Consumer Sentinel feed produces false positives.

-- MichaelMenefee - 2014-07-24

Hi Michael, would you happen to have a pcap or could tell us what data was in the Host: header that produced this FP? Thanks!

-- DarienH - 2014-07-24

No PCAP, just the portions captured by Suricata:

. . . . / Y . . . ' . . . . E . . . . . @ . } . m . . . N j . . . L . . . P . " . 5 u . . ' P . @ . D . . . G E T / d o w n l o a d / p r o d u c t s / r s a t o o l b a r / i e / l a t e s t 1 4 2 / u p d a t e . r d f H T T P / 1 . 1 . . U s e r - A g e n t : H T T P G E T . . H o s t : w w w . r s a . c o m . . C a c h e - C o n t r o l : n o - c a c h e . . . .

followed by 3 hits with:

. . . . / Y . . . ' . . . . E . . . . . @ . } . E . . . N j . . . t . . . P . C . . . . . . P . @ . . I . . G E T / t r u s t e d s i t e s / S e n t i n e l S i t e L i s t . x m l H T T P / 1 . 1 . . U s e r - A g e n t : H T T P G E T . . H o s t : n e w s . c o n s u m e r s e n t i n e l . g o v . . C a c h e - C o n t r o l : n o - c a c h e . . . .

-- MichaelMenefee - 2014-07-28

Thanks, we'll send out a fix for this today or at the latest tomorrow!

-- DarienH - 2014-07-28


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader User-Agent HTTPGET"; flow:established,to_server; content:"User-Agent|3A 20|HTTPGET"; http_header; content:"User-Agent|3A 20|HTTPGET"; http_header; content:!"autodesk.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013508; rev:4;)

Added 2014-06-27 17:58:06 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader User-Agent HTTPGET"; flow:established,to_server; content:"User-Agent|3A 20|HTTPGET"; http_header; classtype:trojan-activity; sid:2013508; rev:2;)

Added 2011-10-12 19:37:03 UTC


Topic revision: r6 - 2014-07-28 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats