[Emerging-Sigs] ET POLICY VMware User-Agent Outbound

Bad Horse b4dh0rs3 at gmail.com
Thu Oct 6 09:31:51 EDT 2011


This just looks for a vmware User Agent.  It is POLICY and I'm not opposed
to it being disabled by default, I just figure someone could use it to help
identity VMware instances on their network.  We could also throw in some
negated header matches for things like 'Accept-Encoding' but I don't think
it is necessary.

Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY VMware
User-Agent Outbound"; flow:established,to_server; content:"|0D
0A|User-Agent|3A 20|vmware"; http_header; classtype:policy-violation;
reference:url,www.vmware.com; sid:b4dh0rs3_9; rev:1;)

Pcap:

GET
/cds/vmw-desktop/ws/7.1.5/491717/windows/packages/tools-winPre2k-8.4.8.exe.tar
HTTP/1.1
User-Agent: vmware-ws-windows/7.1.5 (CDS 1.0; Windows 6.1)
Host: softwareupdate.vmware.com
Accept: */*

-B4d H0rs3
 The Thoroughbred of SYN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111006/b2d14050/attachment.html


More information about the Emerging-sigs mailing list