[Emerging-Sigs] SIGS: Avzhan DDOS Bot Fake User Agents
wkitty42 at windstream.net
Tue Oct 12 14:47:50 EDT 2010
On 10/11/2010 18:16, Will Metcalf wrote:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> USER_AGENTS Potential Avzhan DDOS Bot or abnormal User-Agent";
>> flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header;
>> sid:2010xxx; rev:1;)
> Based on the sample datasets I have, I think this will fp a lot.
> Looking at the traffic this sig trips on it seems there are some
> lesser known valid browsers that will cause this to fire.
that's not cool... is there a list of these browsers somewhere??
More information about the Emerging-sigs