[Emerging-Sigs] SIGS: Avzhan DDOS Bot Fake User Agents

waldo kitty wkitty42 at windstream.net
Tue Oct 12 14:47:50 EDT 2010


On 10/11/2010 18:16, Will Metcalf wrote:
>> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> USER_AGENTS Potential Avzhan DDOS Bot or abnormal User-Agent";
>> flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header;
>> classtype:trojan-activity;
>> reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html;
>> reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan;
>> sid:2010xxx; rev:1;)
>
> Based on the sample datasets I have, I think this will fp a lot.
> Looking at the traffic this sig trips on it seems there are some
> lesser known valid browsers that will cause this to fire.

that's not cool... is there a list of these browsers somewhere??


More information about the Emerging-sigs mailing list