[Emerging-Sigs] Win98 alerts on 2007695
Jack Pepper
pepperjack at afferentsecurity.com
Thu Mar 20 15:05:03 EST 2008
the 2007695 rule for detecting win98 boxes was getting some bogus hits
on a piece of Dell Spyware. I have split it into two separate rules:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
Gteko User-Agent Detected - Dell Remote Access";
flow:established,to_server; content:"|0d 0a|User-Agent\: ";
content:"Windows 98"; within:50; content:"GtekClient";
within:50;pcre:"/User-Agent\:[^\n]+Windows 98[^\n]+GtekClient/i";
classtype:dell-spyware;
reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA;
sid:1007696; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
Windows 98 User-Agent Detected - Possible Malware or Non-Updated
System";
flow:established,to_server; content:"|0d 0a|User-Agent\: ";
content:"Windows 98"; within:200; content: !"GtekClient"; within:50;
pcre:"/User-Agent\:[^\n]+Windows 98/i";
classtype:policy-violation;
reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA;
sid:2007695; rev:8;)
And I decided to create a new classification to go with it, since we
can't do anything about it on the students' machines:
config classification: dell-spyware,A built-in backdoor was detected, 3
There is packet data in the wiki to describe this finding.
jp
--
Framework? I don't need no stinking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list