alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"Wise"; http_user_agent; depth:4; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Added 2018-09-13 19:37:49 UTC
Added 2018-09-13 17:52:43 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"Wise"; http_user_agent; depth:4; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Added 2017-08-07 20:55:52 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:16;) Added 2011-10-12 19:11:22 UTC Hello! Please consider rule modification. Reason: legitimate application with Wise UA detected. Our Customers are using Yearli Desktop application. Previous name for that application is WinFiler?. Link to approve application name change - http://yearlidesktop.greatland.com/Downloads/YD%203.14.32%20Release%20Notes.pdf This software was designed by greatland.com corporation. Link to company web site - http://www.greatland.com/category/software+&+online+filing/yearli+desktop.do PCAP (without confidential information ): GET /2015/YearliDesktop/UpdateConfig.INI HTTP/1.1 Accept: / User-Agent: Wise Host: winfilerupdate.winfiler.com Connection: Keep-Alive HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Thu, 07 Apr 2016 20:34:19 GMT Accept-Ranges: bytes ETag: "5523bfdcc91d11:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Thu, 05 Jan 2017 14:46:46 GMT Content-Length: 44 Set-Cookie: [LatestUpdate] SubDirName?= GET /2015/YearliDesktop/2016-03-07_Q4U6/versions.ini HTTP/1.1 Accept: / User-Agent: Wise Host: winfilerupdate.winfiler.com Connection: Keep-Alive Cookie: DATA Thanks! -- MaksymParpaley - 2017-01-06 My Maksym, this is a POLICY rule that is very dependent on your organizations policies. If your organization allows applications such as these then you should disable the rules or suppress the alerts. -- DarienH - 2017-01-06 Make sense. Thank you. -- MaksymParpaley - 2017-01-10
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; sid:2002167; rev:16;) Added 2011-09-14 21:27:25 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Wise; sid:2002167; rev:16;) Added 2011-02-04 17:21:45 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Wise; sid:2002167; rev:13;) Added 2009-02-11 19:24:43 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Wise; sid:2002167; rev:13;) Added 2009-02-11 19:24:43 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;) Added 2008-03-12 13:13:30 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;) Added 2008-03-12 13:13:30 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;) Added 2008-03-12 13:12:13 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;) Added 2008-03-12 13:12:13 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malware - Wise User Agent (Wise)"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:11;) Added 2008-03-09 15:12:09 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malware - Wise User Agent (Wise)"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:11;) Added 2008-03-09 15:12:09 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spyware - Wise User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:9;) Added 2008-01-28 17:24:20 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spyware - Wise User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:9;) Added 2008-01-28 17:24:20 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Possible Spyware - Wise User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:8;)
Topic revision: r4 - 2017-01-10 - MaksymParpaley
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © Emerging Threats