alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Norton Update User-Agent (Install Stub)"; flow:to_server,established; content:"User-Agent|3a| Install Stub"; http_header; content:"stats.norton.com|0d 0a|"; http_header; reference:url,threatexpert.com/reports.aspx?find=stats.norton.com; classtype:trojan-activity; sid:2013882; rev:3;)

Added 2011-11-16 19:57:13 UTC

Documentation: This rule alerts about an unusual browser user-agent. It is possible that a trojan is masquerading as this agent to escape detection.

False Positives: A genuine request from a Norton product to an IP address that provides Norton products.

Analyst Response: Investigate the destination and source IP address to ensure the communication is legitimate. Ensure that the client host uses Norton products and that the queried host provides information or updates regarding Norton products.

-- MainNetavarkaSuraksa? - 2014-03-06


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Install Stub)"; flow:to_server,established; content:"User-Agent|3a| Install Stub"; http_header; reference:url,threatexpert.com/reports.aspx?find=stats.norton.com; classtype:trojan-activity; sid:2013882; rev:2;)

Added 2011-11-08 13:57:26 UTC


Topic revision: r3 - 2014-03-06 - PhilSchroeder
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats