[Emerging-Sigs] MyWebSearch Toolbar Traffic (Agent)

James emerging at cyclohexane.net
Thu Jan 8 07:20:40 EST 2009


Hi,

I've received several hundred false-positives for one of my users on this
signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
MyWebSearch Toolbar Traffic (Agent)"; flow: to_server,established; content:"
MyWay"; nocase; classtype:trojan-activity; sid: 2001662; rev:9;)

It turns out a cookie on the BBC news website contains "; myway=default" at
the end.

Let me know if you need more info than that.

Thanks
James



More information about the Emerging-sigs mailing list