[Emerging-Sigs] SIGS: Avzhan DDOS Bot Fake User Agents

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 12 17:47:59 EDT 2010

What are people seeing/ Getting FPs?

I'm not seeing any.


On Oct 12, 2010, at 2:47 PM, waldo kitty wrote:

> On 10/11/2010 18:16, Will Metcalf wrote:
>>> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>> USER_AGENTS Potential Avzhan DDOS Bot or abnormal User-Agent";
>>> flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header;
>>> classtype:trojan-activity;
>>> reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html;
>>> reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan;
>>> sid:2010xxx; rev:1;)
>> Based on the sample datasets I have, I think this will fp a lot.
>> Looking at the traffic this sig trips on it seems there are some
>> lesser known valid browsers that will cause this to fire.
> that's not cool... is there a list of these browsers somewhere??
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list