[Emerging-Sigs] SIGS: Avzhan DDOS Bot Fake User Agents

Kevin Ross kevross33 at googlemail.com
Tue Oct 12 04:08:37 EDT 2010


That is a surprise. I thought it would be rare to see such a thing that is
was a decent starting point to try and help avoid the PCRE. Oh well, I
suppose the existing sigs for this will have to do. Regards, Kevin

On 11 October 2010 23:16, Will Metcalf <william.metcalf at gmail.com> wrote:

> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> > USER_AGENTS Potential Avzhan DDOS Bot or abnormal User-Agent";
> > flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header;
> > classtype:trojan-activity;
> > reference:url,
> blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html
> ;
> > reference:url,
> asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan;
> > sid:2010xxx; rev:1;)
>
> Based on the sample datasets I have, I think this will fp a lot.
> Looking at the traffic this sig trips on it seems there are some
> lesser known valid browsers that will cause this to fire.
>
> Regards,
>
> Will
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101012/57264506/attachment.html


More information about the Emerging-sigs mailing list