[Emerging-Sigs] Suspect Digital Alpha UA...

Martin Holste mcholste at gmail.com
Sat Oct 2 12:40:40 EDT 2010


I think this sig, as well as other sigs for super-old platforms will
be valuable not only for spotting fake UA's, but also for alerting
admins to boxes that have been forgotten about for thousands of years
(ok, maybe thousands of days).  What are the chances the box that is
actually an Alpha is actually patched?  I would personally welcome
more sigs like this for a poor-man's network discovery tool.  They
would obviously need some thresholding and maybe should be disabled by
default, but I can definitely see how they could be useful.

--Martin

On Fri, Oct 1, 2010 at 9:35 PM, waldo kitty <wkitty42 at windstream.net> wrote:
> On 10/1/2010 17:13, Michael Scheidell wrote:
>>   On 10/1/10 4:51 PM, Matthew Jonkman wrote:
>>>  alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
>>>  (msg:"LOCAL.RULES Suspect
>>>  Inbound AlphaServer UA"; flow:to_server,established; content:"|0d
>>>  0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 4.01\; Digital
>>>  AlphaServer 1000A
>>>  4/233\; Windows NT\; Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase;
>>>  classtype:trojan-activity; sid:1005004; rev:1;)
>> it they ARE, its a sure bet they haven't been patched in a LONG time.
>> (I had a dec alpha 1000A. can't remember how long ago. was a great box).
>
> i bet! especially considering the comment from that one site i quoted... that
> comment being that they couldn't use that browser to apply the next updates to
> it... sheesh, what will m$ think of next? :lol:
>
>> but I doubt anyone.. wait .. I wonder if these might be running in
>> Iranian power plants?
>
> ROTFLMAO!!! if they are, they are really in trouble over there... today, i saw
> one of these UAs, the only one, actually attempt to visit my gallery instead of
> trying to infiltrate my forums... needless to say, it didn't get anywhere :P
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list