[Emerging-Sigs] ET POLICY VMware User-Agent Outbound

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 11 06:42:25 EDT 2011


Ya, sure. Lets go policy and enabled. Can you get that posted pedro?

Thank

matt

On Oct 6, 2011, at 9:36 AM, Martin Holste wrote:

> Seems like it would be an accurate and helpful sig, I vote enabled by default.
> 
> On Thu, Oct 6, 2011 at 8:31 AM, Bad Horse <b4dh0rs3 at gmail.com> wrote:
>> This just looks for a vmware User Agent.  It is POLICY and I'm not opposed
>> to it being disabled by default, I just figure someone could use it to help
>> identity VMware instances on their network.  We could also throw in some
>> negated header matches for things like 'Accept-Encoding' but I don't think
>> it is necessary.
>> 
>> Rule:
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY VMware
>> User-Agent Outbound"; flow:established,to_server; content:"|0D
>> 0A|User-Agent|3A 20|vmware"; http_header; classtype:policy-violation;
>> reference:url,www.vmware.com; sid:b4dh0rs3_9; rev:1;)
>> 
>> Pcap:
>> 
>> GET
>> /cds/vmw-desktop/ws/7.1.5/491717/windows/packages/tools-winPre2k-8.4.8.exe.tar
>> HTTP/1.1
>> User-Agent: vmware-ws-windows/7.1.5 (CDS 1.0; Windows 6.1)
>> Host: softwareupdate.vmware.com
>> Accept: */*
>> 
>> -B4d H0rs3
>>  The Thoroughbred of SYN
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111011/76e4a88a/smime.bin


More information about the Emerging-sigs mailing list