[Emerging-Sigs] ET POLICY VMware User-Agent Outbound

Martin Holste mcholste at gmail.com
Thu Oct 6 09:36:04 EDT 2011


Seems like it would be an accurate and helpful sig, I vote enabled by default.

On Thu, Oct 6, 2011 at 8:31 AM, Bad Horse <b4dh0rs3 at gmail.com> wrote:
> This just looks for a vmware User Agent.  It is POLICY and I'm not opposed
> to it being disabled by default, I just figure someone could use it to help
> identity VMware instances on their network.  We could also throw in some
> negated header matches for things like 'Accept-Encoding' but I don't think
> it is necessary.
>
> Rule:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY VMware
> User-Agent Outbound"; flow:established,to_server; content:"|0D
> 0A|User-Agent|3A 20|vmware"; http_header; classtype:policy-violation;
> reference:url,www.vmware.com; sid:b4dh0rs3_9; rev:1;)
>
> Pcap:
>
> GET
> /cds/vmw-desktop/ws/7.1.5/491717/windows/packages/tools-winPre2k-8.4.8.exe.tar
> HTTP/1.1
> User-Agent: vmware-ws-windows/7.1.5 (CDS 1.0; Windows 6.1)
> Host: softwareupdate.vmware.com
> Accept: */*
>
> -B4d H0rs3
>  The Thoroughbred of SYN
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>


More information about the Emerging-sigs mailing list