[Emerging-Sigs] FPs -- msg:"ET MALWARE Suspicious User-Agent (ms)";

Sun Jul 13 22:19:58 EDT 2008

we are seeing many 1000s of legit hits on this rule from MSN traffic....

GET /8SE/11?MI=ec54f7918d284f6d814b55b704fbb9fe&LV=3.1.0.146
&AG=T14072&IS=0000&TE=1&TV=tmen-nz%7Cts20080713021603%7Crf1%
7Csq91%7Cwi198564%7Ceuhttp%3A%2F%2Fwww.facebook.com%2Fphoto.
php%3Fpid%3D3455927%26view%3Dalbum%26id%3D896930331%26ref%3D
nf%23pid%3D3455895 HTTP/1.1..User-Agent: MSN_SL/3.1 Microsof
t-Windows/5.1..Host: g.ceipmsn.com....

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE  
Suspicious User-Agent (ms)"; flow:to_server,established; content:"User- 
Agent\: ms"; nocase; classtype:trojan-activity; sid:2003497; rev:3;)