alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious UA Mozilla / 4.0"; flow:to_server,established; content:"User-Agent|3a| Mozilla / 4.0|0d 0a|"; nocase; http_header; content:!"captive.apple.com|0d 0a|"; http_header; content:!".google.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013964; rev:4; metadata:created_at 2011_11_23, updated_at 2017_01_12;)

Added 2017-08-07 21:07:15 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious UA Mozilla / 4.0"; flow:to_server,established; content:"User-Agent|3a| Mozilla / 4.0|0d 0a|"; nocase; http_header; content:!"captive.apple.com|0d 0a|"; http_header; content:!".google.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013964; rev:4;)

Added 2017-01-12 17:36:21 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious UA Mozilla / 4.0"; flow:to_server,established; content:"User-Agent|3a| Mozilla / 4.0|0d 0a|"; nocase; http_header; content:!"captive.apple.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013964; rev:3;)

Added 2017-01-06 16:15:29 UTC

Hello. One more captive portal detection URL

Shill, the connection manager for Chromium OS, attempts to detect services that are within a captive portal whenever a service transitions to the ready state. This determination of being in a captive portal or being online is done by attempting to retrieve the webpage http://clients3.google.com/generate_204. This well known URL is known to return an empty page with an HTTP status 204. If for any reason the web page is not returned, or an HTTP response other than 204 is received, then shill marks the service as being in the portal state.

PCAP: GET /generate_204 HTTP/1.1 Host: clients3.google.com User-Agent: Mozilla / 4.0 Connection: Keep-Alive

HTTP/1.1 204 No Content Content-Length: 0 Date: Tue, 10 Jan 2017 13:26:03 GMT

Please add an exception

-- MaksymParpaley - 2017-01-11


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious UA Mozilla / 4.0"; flow:to_server,established; content:"User-Agent|3a| Mozilla / 4.0|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2013964; rev:2;)

Added 2014-09-15 18:30:48 UTC

Hello. Please consider rule modification. Reason:

GET /generate_204 HTTP/1.1 Host: captive.apple.com User-Agent: Mozilla / 4.0 Connection: Keep-Alive

HTTP/1.1 200 OK Content-Type: text/html Content-Length: 68 Date: Thu, 05 Jan 2017 21:55:08 GMT Connection: keep-alive

<HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML>GET /generate_204 HTTP/1.1 Host: captive.apple.com User-Agent: Mozilla / 4.0 Connection: Keep-Alive

Attempt to detect captive portal by Apple inc.

Thanks

-- MaksymParpaley - 2017-01-06


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Mozilla / 4.0 CNC traffic"; flow:to_server,established; content:"User-Agent|3a| Mozilla / 4.0|0d 0a|"; http_header; classtype:trojan-activity; sid:2013964; rev:2;)

Added 2011-11-23 17:03:33 UTC


Topic revision: r3 - 2017-01-11 - MaksymParpaley
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats