alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 1 User-Agent"; flow: established,to_server; content:"Windows NT 1"; nocase; http_user_agent; content:!"0"; within:1; http_user_agent; pcre:"/^[^0-9]/VR"; classtype:trojan-activity; sid:2015898; rev:4;)

Added 2016-02-24 16:22:32 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 1 User-Agent"; flow: established,to_server; content:"Windows NT 1"; nocase; http_user_agent; content:!"0"; within:1; http_user_agent; pcre:"/^[^0-9]/VR"; classtype:trojan-activity; sid:2015898; rev:4;)

Added 2016-02-23 17:39:03 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 1 User-Agent"; flow: established,to_server; content:"Windows NT 1"; nocase; http_user_agent; content:!"0"; within:1; http_user_agent; classtype:trojan-activity; sid:2015898; rev:3;)

Added 2015-02-04 17:38:29 UTC

Hi,

This rule is giving tons of false-positives. Traffic coming from Windows 10 IE11.

Any idea how to fix it?

Thanks

-- MaybeLater - 2015-12-03

What is the exact UA that is causing the FP?

-- DarienH - 2015-12-03

Seeing the same issue. Here's the offending match:

.User-Agent:.Mozilla/5.0.(Windows.NT.10.0;.WOW64).AppleWebKit/537.36.(KHTML,.like.Gecko).Chrome/48.0.2564.116.Safari/537.36

As you can see from the rule, it matches "NT 1" which is going to include 10, 11, etc...

-- McDuffeeK - 2016-02-22

There is a negated "0" following the 1, so that should not have caused the signature to fire. We'll make a change to hopefully fix this up.

-- DarienH - 2016-02-23


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 1 User-Agent"; flow: established,to_server; content:"Windows NT 1"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 1/Hmi"; classtype:trojan-activity; sid:2015898; rev:1;)

Added 2012-11-20 02:06:14 UTC

This is likely to fail with the impending release of Windows 10.

-- JohnIves - 2015-01-27

Right now IE 11 in Win10 Tech Preview is reporting this UA: "Mozilla/5.0 (Windows NT 6.4; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko" -- We'll keep an eye on it though and make changes as necessary, as it seems like MS may bump it up to NT 10 in the future.

-- DarienH - 2015-01-27

Right now Mozilla Firefox 35.0.1 on Windows 10 Tech Preview is reporting the following UA

"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0"

This is throwing a lot of False Positives for me.

-- ZackRuddle - 2015-02-04

Thanks, we'll get this fixed up for today's push then.

-- DarienH - 2015-02-04


Topic revision: r10 - 2016-02-23 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats