[Emerging-Sigs] SIGS: Avzhan DDOS Bot Fake User Agents
william.metcalf at gmail.com
Mon Oct 11 18:16:01 EDT 2010
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> USER_AGENTS Potential Avzhan DDOS Bot or abnormal User-Agent";
> flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header;
> sid:2010xxx; rev:1;)
Based on the sample datasets I have, I think this will fp a lot.
Looking at the traffic this sig trips on it seems there are some
lesser known valid browsers that will cause this to fire.
More information about the Emerging-sigs