alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"www.google.com"; http_host; content:!"secure.logmein.com"; http_host; content:!"weixin.qq.com"; http_host; content:!"slickdeals.net"; http_host; content:!"cloudera.com"; http_host; content:!"secure.digitalalchemy.net.au"; http_host; content:!".ksmobile.com"; http_host; content:!"gstatic.com"; http_host; content:!".cmcm.com"; http_host; content:!".deckedbuilder.com"; http_host; content:!".mobolize.com"; http_host; content:!"wq.cloud.duba.net"; http_host; content:!"infoc2.duba.net"; http_host; content:!".bitdefender.net"; http_host; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2003492; classtype:bad-unknown; sid:2003492; rev:33; metadata:created_at 2010_07_30, updated_at 2019_11_20;)
Added 2019-11-20 21:20:02 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"www.google.com"; http_host; content:!"secure.logmein.com"; http_host; content:!"weixin.qq.com"; http_host; content:!"slickdeals.net"; http_host; content:!"cloudera.com"; http_host; content:!"secure.digitalalchemy.net.au"; http_host; content:!".ksmobile.com"; http_host; content:!"gstatic.com"; http_host; content:!".cmcm.com"; http_host; content:!".deckedbuilder.com"; http_host; content:!".mobolize.com"; http_host; content:!"wq.cloud.duba.net"; http_host; content:!"infoc2.duba.net"; http_host; content:!".bitdefender.net"; http_host; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2003492; classtype:bad-unknown; sid:2003492; rev:33; metadata:created_at 2010_07_30, updated_at 2019_11_20;)
Added 2019-11-20 19:20:23 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"www.google.com"; http_host; content:!"secure.logmein.com"; http_host; content:!"weixin.qq.com"; http_host; content:!"slickdeals.net"; http_host; content:!"cloudera.com"; http_host; content:!"secure.digitalalchemy.net.au"; http_host; content:!".ksmobile.com"; http_host; content:!"gstatic.com"; http_host; content:!".cmcm.com"; http_host; content:!".deckedbuilder.com"; http_host; content:!".mobolize.com"; http_host; content:!"wq.cloud.duba.net"; http_host; content:!"infoc2.duba.net"; http_host; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:32; metadata:created_at 2010_07_30, updated_at 2019_08_07;)
Added 2019-08-07 19:27:24 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"www.google.com"; http_host; content:!"secure.logmein.com"; http_host; content:!"weixin.qq.com"; http_host; content:!"slickdeals.net"; http_host; content:!"cloudera.com"; http_host; content:!"secure.digitalalchemy.net.au"; http_host; content:!".ksmobile.com"; http_host; content:!"gstatic.com"; http_host; content:!".cmcm.com"; http_host; content:!".deckedbuilder.com"; http_host; content:!".mobolize.com"; http_host; content:!"wq.cloud.duba.net"; http_host; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:31; metadata:created_at 2010_07_30, updated_at 2019_05_29;)
Added 2019-05-29 19:52:18 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; content:"Mozilla/4.0"; depth:11; fast_pattern; nocase; http_user_agent; isdataat:!1,relative; content:!"/CallParrotWebClient/"; http_uri; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"www.google.com"; http_host; content:!"secure.logmein.com"; http_host; content:!"weixin.qq.com"; http_host; content:!"slickdeals.net"; http_host; content:!"cloudera.com"; http_host; content:!"secure.digitalalchemy.net.au"; http_host; content:!".ksmobile.com"; http_host; content:!"gstatic.com"; http_host; content:!".cmcm.com"; http_host; content:!".deckedbuilder.com"; http_host; content:!".mobolize.com"; http_host; content:!"wq.cloud.duba.net"; http_host; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:30; metadata:created_at 2010_07_30, updated_at 2017_12_01;)
Added 2018-09-13 19:38:51 UTC
drop http $HOME_NET any -> 93.184.221.133 any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; content:"Mozilla/4.0"; depth:11; fast_pattern; nocase; http_user_agent; isdataat:!1,relative; content:!"/CallParrotWebClient/"; http_uri; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"www.google.com"; http_host; content:!"secure.logmein.com"; http_host; content:!"weixin.qq.com"; http_host; content:!"slickdeals.net"; http_host; content:!"cloudera.com"; http_host; content:!"secure.digitalalchemy.net.au"; http_host; content:!".ksmobile.com"; http_host; content:!"gstatic.com"; http_host; content:!".cmcm.com"; http_host; content:!".deckedbuilder.com"; http_host; content:!".mobolize.com"; http_host; content:!"wq.cloud.duba.net"; http_host; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:4000230; rev:1; metadata:created_at 2010_07_30, updated_at 2017_12_01;)
--
TomPootch - 2019-01-07
Added 2018-09-13 17:53:17 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; content:"Mozilla/4.0"; depth:11; fast_pattern; nocase; http_user_agent; isdataat:!1,relative; content:!"/CallParrotWebClient/"; http_uri; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"www.google.com"; http_host; content:!"secure.logmein.com"; http_host; content:!"weixin.qq.com"; http_host; content:!"slickdeals.net"; http_host; content:!"cloudera.com"; http_host; content:!"secure.digitalalchemy.net.au"; http_host; content:!".ksmobile.com"; http_host; content:!"gstatic.com"; http_host; content:!".cmcm.com"; http_host; content:!".deckedbuilder.com"; http_host; content:!".mobolize.com"; http_host; content:!"wq.cloud.duba.net"; http_host; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:30; metadata:created_at 2010_07_30, updated_at 2017_12_01;)
Added 2017-12-01 17:37:46 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; content:"Mozilla/4.0"; depth:11; fast_pattern; nocase; http_user_agent; isdataat:!1,relative; content:!"/CallParrotWebClient/"; http_uri; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"www.google.com"; http_host; content:!"secure.logmein.com"; http_host; content:!"weixin.qq.com"; http_host; content:!"slickdeals.net"; http_host; content:!"cloudera.com"; http_host; content:!"secure.digitalalchemy.net.au"; http_host; content:!".ksmobile.com"; http_host; content:!"gstatic.com"; http_host; content:!".cmcm.com"; http_host; content:!".deckedbuilder.com"; http_host; content:!".mobolize.com"; http_host; content:!"wq.cloud.duba.net"; http_host; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:30; metadata:created_at 2010_07_30, updated_at 2017_12_01;)
Added 2017-12-01 16:43:58 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; content:!"wq.cloud.duba.net"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:29; metadata:created_at 2010_07_30, updated_at 2017_10_27;)
Added 2017-10-27 16:27:01 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; content:!"wq.cloud.duba.net"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:28; metadata:created_at 2010_07_30, updated_at 2017_03_06;)
Added 2017-08-07 20:56:45 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; content:!"wq.cloud.duba.net"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:28;)
Added 2017-05-05 16:58:49 UTC
FP. Opus software update
PCAP screenshot from Wireshark in attachment
http://www.gpsoft.com.au/program/program.html
--
DenisI - 2017-05-18
gpsoft.com.au and dopus.com should be excluded from rule
--
DenisI - 2017-05-18
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; content:!"wq.cloud.duba.net"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:28;)
Added 2017-05-03 17:35:06 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; content:!"wq.cloud.duba.net"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:28;)
Added 2017-04-13 16:57:16 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:27;)
Added 2017-04-07 17:03:28 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com "; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:26;)
Added 2017-03-28 17:13:11 UTC
There is mistake in rule. You need to remove the space after mobolize.com "
GET /download/ver/D45FC737-214E-8EB0-3E58-11B8B4114A0F HTTP/1.1
X-mobo-no-alias: yes
User-Agent: Mozilla/4.0
X-mobo-client-version: 2.0.0.174
Host: web-sprint.mobolize.com
Connection: Keep-Alive
Accept-Encoding: gzip
HTTP/1.1 200 OK
--
DenisI - 2017-04-07
Thanks, we'll get this fixed up today!
--
DarienH - 2017-04-07
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:25;)
Added 2017-03-07 18:33:27 UTC
FP with Decked Builder mobile app deckedbuilder.com
PCAP:
ET /price/tcglo/417817 HTTP/1.1
User-Agent: Mozilla/4.0
Host: dbpricerails2.deckedbuilder.com
Connection: Keep-Alive
Accept-Encoding: gzip
--
PhillipPeterson - 2017-03-25
Fixing this today, thanks!
--
DarienH - 2017-03-28
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:24;)
Added 2017-01-12 17:36:21 UTC
Hello. FP for Secure
WiFi? mobile application.
More about application here:
https://play.google.com/store/apps/details?id=com.mobolize.sprint.securewifi&hl=uk
Additional information how Mobolize related to Sprint:
http://www.fiercewireless.com/wireless/sprint-partners-mobolize-to-improve-network-performance-for-enterprise-users
Event PCAP:
GET /download/ver/D9637353-0F53-7D2B-E547-38EF6D13B339 HTTP/1.1
X-mobo-no-alias: yes
User-Agent: Mozilla/4.0
X-mobo-client-version: 1.1.0.114
Host: web-sprint.mobolize.com
Connection: Keep-Alive
Accept-Encoding: gzip
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 02 Mar 2017 19:47:37 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Content-Length: 9
Connection: keep-alive
1.1.0.114
Please consider rule modification
Thank you
Best Regards
--
MaksymParpaley - 2017-03-03
Update
Thank you
--
MaksymParpaley - 2017-03-06
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:23;)
Dear ET!
One more FP detected.
Now signature tripped during normal behavior of Mobolize Secure
WiFi? application
PCAP:
GET /download/ver/D9637353-0F53-7D2B-E547-38EF6D13B339 HTTP/1.1
X-mobo-no-alias: yes
User-Agent: Mozilla/4.0
X-mobo-client-version: 1.1.0.108
Host: web-sprint.mobolize.com
Connection: Keep-Alive
Accept-Encoding: gzip
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 09 Jan 2017 22:39:54 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Content-Length: 9
Connection: keep-alive
1.1.0.108
Links to application and docs:
http://www.mobolize.com/wp/wp-content/uploads/2016/09/Mobolize-Secure-Wi-Fi-ds-2016.pdf
https://play.google.com/store/apps/details?id=com.mobolize.sprint.securewifi&hl=uk
http://www.mobolize.com/product/
Regards
UPDATE for
DuoMi?:
Looks like
DuoMi? is malicious application.
--
MaksymParpaley - 2017-01-12
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:21;)
Added 2016-05-05 18:22:51 UTC
Hello,
I have a false positive alerts on download via smartphone xiaomi redmi 3 pro (MIUI 8 stable china) when enabled options Xunlei download engine in download settings.
--
SergeyMalinkin - 2016-09-15
--
MaksymParpaley - 2016-12-28
We are observing FP for
WeChat? application (weixin). Please modify the rule.
POST /cgi-bin/mmsupport-bin/stackreport?version=16050222&filelength=338356&sum=1e05f2cc97f15d5cce3699f3f7c723ed&reporttype=2002&devicetype=iphone_iOS10.1.1&username=XXXXX HTTP/1.1
Host: support.weixin.qq.com
Content-Type: application/x-www-form-urlencoded
Cookie: pgv_pvid=6641066904
Connection: keep-alive
Accept:
/
User-Agent: Mozilla/4.0
Content-Length: 47928
Accept-Language: en-us
Accept-Encoding: gzip, deflate
We suggest to add (modify): content:!"weixin.qq.com"
Please do modification. Looking forward.
--
MaksymParpaley - 2016-12-28
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:19;)
Added 2015-08-21 18:49:12 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; content:!"Host|3a|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:18;)
Added 2015-03-24 19:03:05 UTC
logmein ignore isn't working due to a missing space. I've found the following works in our environment as of today: Host|3a 20|secure|2e|logmein|2e|com|0d 0a|
--
StefanSchwoegler - 2015-08-21
Whoops
Thanks, I'll get that fixed up!
--
DarienH - 2015-08-21
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; content:!"Host|3a|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:17;)
Added 2015-02-25 15:28:14 UTC
"secure.digitalalchemy.net.au" - False positives generated by this URL. Digital Alchemy is a Australian marketing analytics company.
--
JulianGarthwaite - 2015-03-23
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; content:!"Host|3a|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:16;)
Added 2014-06-16 20:29:07 UTC
This threw a ton of false positives last night for "http://slickdeals.net/" "Mozilla/4.0" and for "http://www.cloudera.com/content/cloudera/en/home.html" "Mozilla/4.0"
--
SamScholten - 2015-02-20
Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.
--
DarienH - 2015-02-20
Hmm okay, we can add a negation... Mozilla/4.0 by itself isn't usually used as a real browser's UA, any idea what was making those requests?
--
DarienH - 2015-02-20
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; fast_pattern:5,20; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"PREF|3d|ID|3d|"; nocase; http_cookie; content:!"Host|3a|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:14;)
Added 2013-12-09 19:23:34 UTC
Seems that this rule throws a false positive when the host is: weixin.qq.com. We have a handful of users using
WeChat? client.
--
EricVargas - 2014-06-16
We will get this fixed up ASAP.
--
FrancisTrudeau - 2014-06-16
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; fast_pattern:5,20; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"PREF|3d|ID|3d|"; nocase; http_cookie; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:13;)
Added 2012-06-22 00:48:41 UTC
this is a false positive when the host is secure.logmein.com. Would add the following to the rule: content:!"Host|3a|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header;
--
DjThomason - 24 Jul 2012
I am also seeing false positives with logmein.com.
--
MatthewTrent - 2013-12-06
Fixing this up, thanks!
--
MattJonkman - 2013-12-06
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:12;)
Added 2011-12-30 19:58:58 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:12;)
Added 2011-12-30 19:24:07 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:12;)
Added 2011-12-30 18:03:20 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:11;)
Added 2011-12-15 18:09:17 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:11;)
Added 2011-10-12 19:13:34 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; sid:2003492; rev:11;)
Added 2011-09-14 22:26:33 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003492; rev:10;)
Added 2011-02-04 17:22:30 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003492; rev:8;)
Added 2009-10-19 09:15:43 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003492; rev:8;)
Added 2009-10-19 09:15:43 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003492; rev:6;)
Added 2009-02-09 21:30:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003492; rev:6;)
Added 2009-02-09 21:30:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003492; rev:6;)
Added 2009-02-09 21:29:25 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2003492; rev:6;)
Added 2009-02-09 21:29:25 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; sid:2003492; rev:5;)
Added 2008-01-28 17:24:21 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; sid:2003492; rev:4;)
Added 2008-01-09 17:42:41 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003492; sid:2003492; rev:3;)
Added 2007-04-03 10:56:11 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003492; sid:2003492; rev:2;)
Added 2007-03-16 11:45:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Unusual Mozilla User-Agent (Mozila/4.0)"; flow:to_server,established; content:"User-Agent\: Mozila/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003492; sid:2003492; rev:1;)
Added 2007-03-16 10:55:22 UTC
Found some of these with Mozilla misspelled Mozila in the spyware listening post logs. Wasn't able to find them in any legitimate logs, so this might be an interesting way to catch some of the spyware trying to be stealthy.
Please report any issues with the sig here, and let us also know about any positive hits.
--
MattJonkman - 16 Mar 2007
- packet.pcap: Demonstrates the false positive associated with secure.logmein.com
- packet.pcap: Demonstrates the false positive associated with secure.logmein.com
Main Web
Create New Topic
Index
Search
Changes
Preferences
Copyright © Emerging Threats