[Emerging-Sigs] MyWebSearch Toolbar Traffic (Agent)

Matt Jonkman jonkman at jonkmans.com
Thu Jan 8 11:00:23 EST 2009


Hmmm, that's a bad FP. And looking at that sig, I think we're best
dropping it. The current versions of MyWay use a distinct user-agent
which we do have a sig for.

I'll remove the sig. It's obsolete.

Thanks for the report!!

Matt

James wrote:
> Hi,
> 
> I've received several hundred false-positives for one of my users on this
> signature:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> MyWebSearch Toolbar Traffic (Agent)"; flow: to_server,established; content:"
> MyWay"; nocase; classtype:trojan-activity; sid: 2001662; rev:9;)
> 
> It turns out a cookie on the BBC news website contains "; myway=default" at
> the end.
> 
> Let me know if you need more info than that.
> 
> Thanks
> James
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list