alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:" loader"; fast_pattern; within:100; http_header; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
Added 2020-08-13 17:50:08 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:" loader"; fast_pattern; within:100; http_header; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2017_10_30;)
Added 2020-08-05 19:05:20 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:" loader"; fast_pattern; within:100; http_header; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)
Added 2019-10-09 19:08:42 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:" loader"; fast_pattern; within:100; http_header; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)
Added 2017-10-30 18:17:32 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:" loader"; fast_pattern; within:100; http_header; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;)
Added 2017-10-30 16:39:40 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:" loader"; fast_pattern; within:100; http_header; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)
Added 2017-08-07 21:01:27 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (contains loader)"; flow:to_server,established; content:" loader"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:13;)
Added 2011-10-12 19:24:48 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (contains loader)"; flow:to_server,established; content:" loader"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; sid:2008276; rev:13;)
Added 2011-09-14 22:38:15 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:" loader"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+loader/iH"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008276; rev:12;)
Added 2011-02-04 17:27:23 UTC
This rule fires on traffic appearing to be related to iolo technologies, LLC (www.iolo.com) products:
POST /__svc/hints/newshintsxml.aspx HTTP/1.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 300
Host: svc.iolo.com
Accept: text/html, */*
User-Agent: iolo Hints Loader
These requests are directed to 216.246.97.29 (svc.iolo.com) which falls in 216.246.97.0/27:
Server Central Network SCN-5 (NET-216-246-0-0-1) 216.246.0.0 - 216.246.127.255
IOLO Technologies SCNET-216-246-97-0-27 (NET-216-246-97-0-1) 216.246.97.0 - 216.246.97.31
One option for dealing with this is a suppression for this rule firing against that destination CIDR.
--
DarrenSpruell - 06 Jun 2011
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008276; rev:8;)
Added 2009-10-19 09:15:44 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008276; rev:8;)
Added 2009-10-19 09:15:44 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2008276; rev:6;)
Added 2009-02-09 22:22:08 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; sid:2008276; rev:5;)
Added 2008-09-19 12:45:22 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; sid:2008276; rev:5;)
Added 2008-09-19 12:45:22 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; sid:2008276; rev:4;)
Added 2008-09-10 13:15:20 UTC
False positives on "Adobe Flash Player Downloader"
SRC: GET /get/flashplayer/current/gtb/install_flash.foo.s HTTP/1.1
SRC: User-Agent: Adobe Flash Player Downloader
SRC: Host: fpdownload2.macromedia.com
--
MikeWazowski - 19 Sep 2008
Adding a leading space to the loader content match. That should eliminat that FP. Thanks Mike!
--
MattJonkman - 19 Sep 2008
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; sid:2008276; rev:4;)
Added 2008-09-10 13:15:20 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; sid:2008276; rev:3;)
Added 2008-05-30 13:10:21 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; sid:2008276; rev:3;)
Added 2008-05-30 13:10:21 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]loader/"; classtype:trojan-activity; sid:2008276; rev:2;)
Added 2008-05-30 12:43:58 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]loader/"; classtype:trojan-activity; sid:2008276; rev:2;)
Added 2008-05-30 12:43:58 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (contains loader)"; flow: to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:80; pcre:"/User-Agent\:[^\n] loader/i"; classtype:trojan-activity; sid:2008276; rev:1;)
Added 2008-05-30 12:24:55 UTC