[Emerging-Sigs] FPs on "ET USER_AGENTS Suspicious User-Agent (contains loader)"

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 12 18:19:21 EDT 2010

Ya, this is an oldie but a goodie. I've found good things on this, but it's definitely not a 100% bad hit. That's why we called it suspicious vs bad. 

I don't know of a good way to eliminate those hits. They're interesting to a degree depending on your environment. 

Any ideas?


On Oct 12, 2010, at 2:11 PM, Jeff Kell wrote:

> Not sure what the original was intended to look for, but would anchoring the "loader"
> with a leading space do the trick?  or was this a generic catch for uploader/downloader?
> Jeff
> On 10/12/2010 2:06 PM, Jeff Kell wrote:
>> On 10/11/2010 6:46 PM, Jeff Kell wrote:
>>> This signature fires on the Inno Setup Downloader (see
>>> http://en.wikipedia.org/wiki/Inno_Setup ).
>> Also FPs on "Blizzard Downloader"  (World of Warcraft update engine).
>> Jeff
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list