[Emerging-Sigs] FPs -- msg:"ET MALWARE Suspicious User-Agent (ms)";
Matt Jonkman
jonkman at jonkmans.com
Sun Jul 13 22:58:07 EDT 2008
Ahh, crap. I left a nocase in there. Posted the fix. That fix it up?
Matt
Russell Fulton wrote:
> we are seeing many 1000s of legit hits on this rule from MSN traffic....
>
> GET /8SE/11?MI=ec54f7918d284f6d814b55b704fbb9fe&LV=3.1.0.146
> &AG=T14072&IS=0000&TE=1&TV=tmen-nz%7Cts20080713021603%7Crf1%
> 7Csq91%7Cwi198564%7Ceuhttp%3A%2F%2Fwww.facebook.com%2Fphoto.
> php%3Fpid%3D3455927%26view%3Dalbum%26id%3D896930331%26ref%3D
> nf%23pid%3D3455895 HTTP/1.1..User-Agent: MSN_SL/3.1 Microsof
> t-Windows/5.1..Host: g.ceipmsn.com....
>
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> Suspicious User-Agent (ms)"; flow:to_server,established; content:"User-
> Agent\: ms"; nocase; classtype:trojan-activity; sid:2003497; rev:3;)
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list