[Emerging-Sigs] Suspect Digital Alpha UA...
wkitty42 at windstream.net
Sat Oct 2 15:44:55 EDT 2010
On 10/2/2010 12:40, Martin Holste wrote:
> I think this sig, as well as other sigs for super-old platforms will
> be valuable not only for spotting fake UA's, but also for alerting
> admins to boxes that have been forgotten about for thousands of years
> (ok, maybe thousands of days).
agreed... i don't know if i made it known in my first post in this thread but i
found this UA /because/ it was being used to consistently try to beat a path
into my forums... it is pretty obvious that they're up to something when they
try to register the same name numerous times in a matter of seconds... even more
obvious when they do the register thing and then immediately attempt to post a
message within the same second or after only a few... *especially* on a forum
that requires confirmation and authentication :lol:
> What are the chances the box that is actually an Alpha is actually
i dunno... i've thought about possibly hunting one down... it might make a nice
friend for the System36 that over here holding up one end of this custom
there's also the question of what are the chances that the box is really an
Alpha? one person has responded that they do have an Alpha but it is running a
different OS which was one consideration i had for leaving the entire UA string
in the rules that i posted :)
> I would personally welcome more sigs like this for a poor-man's network
> discovery tool. They would obviously need some thresholding and maybe
> should be disabled by default, but I can definitely see how they could
> be useful.
i figure since they are helpful to me, they should be helpful to others as
well... as i find these UAs that are consistently doing activities like
described above, i research them to try to determine if creating a UA sig is
worth it or if it is too common a UA and one that is still in widespread use
performing normal browsing activities... stopping forum spammers based simply on
UA is only going to work for so long, though...
> On Fri, Oct 1, 2010 at 9:35 PM, waldo kitty<wkitty42 at windstream.net> wrote:
>> On 10/1/2010 17:13, Michael Scheidell wrote:
>>> On 10/1/10 4:51 PM, Matthew Jonkman wrote:
>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
>>>> (msg:"LOCAL.RULES Suspect
>>>> Inbound AlphaServer UA"; flow:to_server,established; content:"|0d
>>>> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 4.01\; Digital
>>>> AlphaServer 1000A
>>>> 4/233\; Windows NT\; Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase;
>>>> classtype:trojan-activity; sid:1005004; rev:1;)
>>> it they ARE, its a sure bet they haven't been patched in a LONG time.
>>> (I had a dec alpha 1000A. can't remember how long ago. was a great box).
>> i bet! especially considering the comment from that one site i quoted... that
>> comment being that they couldn't use that browser to apply the next updates to
>> it... sheesh, what will m$ think of next? :lol:
>>> but I doubt anyone.. wait .. I wonder if these might be running in
>>> Iranian power plants?
>> ROTFLMAO!!! if they are, they are really in trouble over there... today, i saw
>> one of these UAs, the only one, actually attempt to visit my gallery instead of
>> trying to infiltrate my forums... needless to say, it didn't get anywhere :P
More information about the Emerging-sigs