[Emerging-Sigs] ET POLICY NSPlayer User-Agent - Windows Media Player streaming detected

L0rd Ch0de1m0rt l0rdch0de1m0rt at gmail.com
Fri Oct 29 14:17:01 EDT 2010


Hello.  I propose this simple policy rule to alert on people streaming
media with Windows Media Player:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
NSPlayer User-Agent - Windows Media Player streaming detected";
flow:established,to_server; content:"User-Agent|3A 20|NSPlayer|2F|";
http_header; threshold: type limit, track by_src, seconds 300, count
1; reference:url,msdn.microsoft.com/en-us/library/cc234851(PROT.10).aspx;
sid:2011xyz; rev:1;)

Example HTTP headers:

Accept: */*
User-Agent: NSPlayer/11.0.5721.5251
Host: pubint-wnedfm.wm.llnwd.net
Pragma: xClientGUID={3300AD50-2C39-46c0-AE0A-DEADBEEF0FDA5EA}
X-Accept-Authentication: Negotiate, NTLM, Digest, Basic
Pragma: client-id=1887181337
Pragma: xStopStrm=1
Content-Length: 0

We may need to have it disabled by default if it is too noisy but I
thresholded it so maybe we don't.

-L0rd C.


More information about the Emerging-sigs mailing list