alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"Wise"; http_user_agent; depth:4; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:18; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
Added 2020-04-22 19:05:09 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"Wise"; http_user_agent; depth:4; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2018-09-13 19:37:49 UTC
Added 2018-09-13 17:52:43 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"Wise"; http_user_agent; depth:4; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2017-08-07 20:55:52 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:16;)
Added 2011-10-12 19:11:22 UTC
Hello!
Please consider rule modification.
Reason: legitimate application with Wise UA detected.
Our Customers are using Yearli Desktop application. Previous name for that application is
WinFiler?. Link to approve application name change -
http://yearlidesktop.greatland.com/Downloads/YD%203.14.32%20Release%20Notes.pdf
This software was designed by greatland.com corporation. Link to company web site -
http://www.greatland.com/category/software+&+online+filing/yearli+desktop.do
PCAP (without confidential information ):
GET /2015/YearliDesktop/UpdateConfig.INI HTTP/1.1
Accept:
/
User-Agent: Wise
Host: winfilerupdate.winfiler.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Thu, 07 Apr 2016 20:34:19 GMT
Accept-Ranges: bytes
ETag: "5523bfdcc91d11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 05 Jan 2017 14:46:46 GMT
Content-Length: 44
Set-Cookie:
[LatestUpdate]
SubDirName?=
GET /2015/YearliDesktop/2016-03-07_Q4U6/versions.ini HTTP/1.1
Accept:
/
User-Agent: Wise
Host: winfilerupdate.winfiler.com
Connection: Keep-Alive
Cookie:
DATA
Thanks!
--
MaksymParpaley - 2017-01-06
My Maksym, this is a POLICY rule that is very dependent on your organizations policies. If your organization allows applications such as these then you should disable the rules or suppress the alerts.
--
DarienH - 2017-01-06
Make sense. Thank you.
--
MaksymParpaley - 2017-01-10
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; sid:2002167; rev:16;)
Added 2011-09-14 21:27:25 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Wise; sid:2002167; rev:16;)
Added 2011-02-04 17:21:45 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Wise; sid:2002167; rev:13;)
Added 2009-02-11 19:24:43 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Wise; sid:2002167; rev:13;)
Added 2009-02-11 19:24:43 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;)
Added 2008-03-12 13:13:30 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;)
Added 2008-03-12 13:13:30 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;)
Added 2008-03-12 13:12:13 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;)
Added 2008-03-12 13:12:13 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malware - Wise User Agent (Wise)"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:11;)
Added 2008-03-09 15:12:09 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malware - Wise User Agent (Wise)"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:11;)
Added 2008-03-09 15:12:09 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spyware - Wise User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:9;)
Added 2008-01-28 17:24:20 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spyware - Wise User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:9;)
Added 2008-01-28 17:24:20 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Possible Spyware - Wise User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:8;)