EmergingThreats> Main Web>2003179 (revision 4)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exe download without User Agent"; flow:established,to_server; content:"GET "; depth:4; uricontent:".exe"; nocase; content:!"User-Agent\:"; content:!"download.windowsupdate.com"; content:!"mms\://"; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003179; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_NoUserAgent; sid:2003179; rev:6;)

Added 2009-02-11 19:00:24 UTC

False positive due to Dr Watson error reporting, suggest addition of content:!"dw20.exe"

-- TimBrigham - 18 Nov 2009

What domain is it reporting to for dr watson?

-- MattJonkman - 18 Nov 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exe download without User Agent"; flow:established,to_server; content:"GET "; depth:4; uricontent:".exe"; nocase; content:!"User-Agent\:"; content:!"download.windowsupdate.com"; content:!"mms\://"; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003179; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_NoUserAgent; sid:2003179; rev:6;)

Added 2009-02-11 19:00:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exe download without User Agent"; flow:established,to_server; content:"GET "; depth:4; uricontent:".exe"; nocase; content:!"User-Agent\:"; content:!"download.windowsupdate.com"; content:!"mms\://"; nocase; classtype:policy-violation; sid:2003179; rev:5;)

Added 2009-02-03 23:45:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exe download without User Agent"; flow:established,to_server; content:"GET "; depth:4; uricontent:".exe"; nocase; content:!"User-Agent\:"; content:!"download.windowsupdate.com"; content:!"mms\://"; nocase; classtype:policy-violation; sid:2003179; rev:5;)

Added 2009-02-03 23:45:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exe download without User Agent"; flow:established,to_server; uricontent:".exe"; nocase; content:".exe"; depth:150; nocase; content:"GET "; nocase; depth:4; offset:0; content:!"User-Agent\:"; content:!"download.windowsupdate.com"; content:!"mms\://"; nocase; classtype:policy-violation; sid:2003179; rev:4;)

Added 2008-01-31 18:48:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exe download without User Agent"; flow:established,to_server; uricontent:".exe"; nocase; content:".exe"; depth:150; nocase; content:"GET "; nocase; depth:4; offset:0; content:!"User-Agent\:"; content:!"download.windowsupdate.com"; content:!"mms\://"; nocase; classtype:policy-violation; sid:2003179; rev:4;)

Added 2008-01-31 18:48:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY exe download without User Agent"; flow:established,to_server; uricontent:".exe"; nocase; content:".exe"; depth:150; nocase; content:"GET "; nocase; depth:4; offset:0; content:!"User-Agent\:"; content:!"download.windowsupdate.com"; content:!"mms\://"; nocase; classtype:policy-violation; sid:2003179; rev:3;)

Added 2007-04-19 09:00:25 UTC

Added the get match to make sure this is in the first packet of the stream.

-- MattJonkman - 19 Apr 2007


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY exe download without User Agent"; flow:established,to_server; uricontent:".exe"; nocase; content:".exe"; depth:150; nocase; content:!"User-Agent\:"; content:!"download.windowsupdate.com"; content:!"mms\://"; nocase; classtype:policy-violation; sid:2003179; rev:2;)



Edit | Attach | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 2009-11-18 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats