[Emerging-Sigs] SIGS: Avzhan DDOS Bot Fake User Agents

Will Metcalf william.metcalf at gmail.com
Mon Oct 11 18:16:01 EDT 2010


> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> USER_AGENTS Potential Avzhan DDOS Bot or abnormal User-Agent";
> flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header;
> classtype:trojan-activity;
> reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html;
> reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan;
> sid:2010xxx; rev:1;)

Based on the sample datasets I have, I think this will fp a lot.
Looking at the traffic this sig trips on it seems there are some
lesser known valid browsers that will cause this to fire.

Regards,

Will


More information about the Emerging-sigs mailing list