EmergingThreats> Main Web>2002167 (2017-01-10, MaksymParpaley) EditAttach

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"Wise"; http_user_agent; depth:4; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:18; metadata:created_at 2010_07_30, updated_at 2020_04_22;)

Added 2020-04-22 19:05:09 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"Wise"; http_user_agent; depth:4; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2018-09-13 19:37:49 UTC

Added 2018-09-13 17:52:43 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"Wise"; http_user_agent; depth:4; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:55:52 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:16;)

Added 2011-10-12 19:11:22 UTC

Hello!

Please consider rule modification. Reason: legitimate application with Wise UA detected.

Our Customers are using Yearli Desktop application. Previous name for that application is WinFiler?. Link to approve application name change - http://yearlidesktop.greatland.com/Downloads/YD%203.14.32%20Release%20Notes.pdf

This software was designed by greatland.com corporation. Link to company web site - http://www.greatland.com/category/software+&+online+filing/yearli+desktop.do

PCAP (without confidential information ):

GET /2015/YearliDesktop/UpdateConfig.INI HTTP/1.1 Accept: / User-Agent: Wise Host: winfilerupdate.winfiler.com Connection: Keep-Alive

HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Thu, 07 Apr 2016 20:34:19 GMT Accept-Ranges: bytes ETag: "5523bfdcc91d11:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Thu, 05 Jan 2017 14:46:46 GMT Content-Length: 44 Set-Cookie:

[LatestUpdate] SubDirName?=

GET /2015/YearliDesktop/2016-03-07_Q4U6/versions.ini HTTP/1.1 Accept: / User-Agent: Wise Host: winfilerupdate.winfiler.com Connection: Keep-Alive Cookie:

DATA

Thanks!

-- MaksymParpaley - 2017-01-06

My Maksym, this is a POLICY rule that is very dependent on your organizations policies. If your organization allows applications such as these then you should disable the rules or suppress the alerts.

-- DarienH - 2017-01-06

Make sense. Thank you.

-- MaksymParpaley - 2017-01-10

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; sid:2002167; rev:16;)

Added 2011-09-14 21:27:25 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Wise; sid:2002167; rev:16;)

Added 2011-02-04 17:21:45 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Wise; sid:2002167; rev:13;)

Added 2009-02-11 19:24:43 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Wise; sid:2002167; rev:13;)

Added 2009-02-11 19:24:43 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;)

Added 2008-03-12 13:13:30 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;)

Added 2008-03-12 13:13:30 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;)

Added 2008-03-12 13:12:13 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;)

Added 2008-03-12 13:12:13 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malware - Wise User Agent (Wise)"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:11;)

Added 2008-03-09 15:12:09 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malware - Wise User Agent (Wise)"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:11;)

Added 2008-03-09 15:12:09 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spyware - Wise User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:9;)

Added 2008-01-28 17:24:20 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spyware - Wise User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:9;)

Added 2008-01-28 17:24:20 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Possible Spyware - Wise User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:8;)

Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2017-01-10 - MaksymParpaley
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats