[Emerging-Sigs] Win98 alerts on 2007695

Matt Jonkman jonkman at jonkmans.com
Fri Mar 21 09:53:42 EST 2008 

That is a good idea Jack. I'll get it implemented momentarily in cvs!

Thanks for the reminder of the reference too Nate. Added it to the wiki 
entry.

Matt

Nathaniel Richmond wrote:
> Jack,
> 
> Good solution.
> 
> It's not just Dell that uses the agent.
> http://lists.bleedingthreats.net/pipermail/bleeding-sigs/2007-November/003154.html
> 
> Nate
> 
> Jack Pepper wrote:
>>
>> the 2007695 rule for detecting win98 boxes was getting some bogus
>> hits
>> on a piece of Dell Spyware.  I have split it into two separate
>> rules:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>> Gteko User-Agent Detected - Dell Remote Access";
>> flow:established,to_server; content:"|0d 0a|User-Agent\: ";
>> content:"Windows 98"; within:50; content:"GtekClient";
>> within:50;pcre:"/User-Agent\:[^\n]+Windows 98[^\n]+GtekClient/i";
>> classtype:dell-spyware;
>> reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA;
>> sid:1007696; rev:7;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
>> Windows 98 User-Agent Detected - Possible Malware or Non-Updated
>> System";
>> flow:established,to_server; content:"|0d 0a|User-Agent\: ";
>> content:"Windows 98"; within:200; content: !"GtekClient"; within:50;
>> pcre:"/User-Agent\:[^\n]+Windows 98/i";
>> classtype:policy-violation;
>> reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA;
>> sid:2007695; rev:8;)
>>
>> And I decided to create a new classification to go with it, since we
>> can't do anything about it on the students' machines:
>>
>> config classification: dell-spyware,A built-in backdoor was
>> detected, 3
>>
>> There is packet data in the wiki to describe this finding.
>>
>> jp
>>
>> --
>>
>> Framework?  I don't need no stinking framework!
>>
>> ----------------------------------------------------------------
>> @fferent Security Labs:  Isolate/Insulate/Innovate
>> http://www.afferentsecurity.com
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list