[Emerging-Sigs] Win98 alerts on 2007695

[Nathaniel Richmond]

Jack,

Good solution.

It's not just Dell that uses the agent.
http://lists.bleedingthreats.net/pipermail/bleeding-sigs/2007-November/003154.html

Nate

Jack Pepper wrote:
>
>
> the 2007695 rule for detecting win98 boxes was getting some bogus
> hits
> on a piece of Dell Spyware.  I have split it into two separate
> rules:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Gteko User-Agent Detected - Dell Remote Access";
> flow:established,to_server; content:"|0d 0a|User-Agent\: ";
> content:"Windows 98"; within:50; content:"GtekClient";
> within:50;pcre:"/User-Agent\:[^\n]+Windows 98[^\n]+GtekClient/i";
> classtype:dell-spyware;
> reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA;
> sid:1007696; rev:7;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Windows 98 User-Agent Detected - Possible Malware or Non-Updated
> System";
> flow:established,to_server; content:"|0d 0a|User-Agent\: ";
> content:"Windows 98"; within:200; content: !"GtekClient"; within:50;
> pcre:"/User-Agent\:[^\n]+Windows 98/i";
> classtype:policy-violation;
> reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA;
> sid:2007695; rev:8;)
>
> And I decided to create a new classification to go with it, since we
> can't do anything about it on the students' machines:
>
> config classification: dell-spyware,A built-in backdoor was
> detected, 3
>
> There is packet data in the wiki to describe this finding.
>
> jp
>
> --
>
> Framework?  I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs:  Isolate/Insulate/Innovate
> http://www.afferentsecurity.com
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>