[Emerging-Sigs] FP's on 2009486 ET TROJAN Pingbed/Downbot User-Agent (Windows+NT+5.1)

Will Cladek william.cladek at nrl.navy.mil
Thu Oct 20 08:52:05 EDT 2011


I'm getting a high number of false positives on the following rule, updated yesterday:

old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pingbed User-Agent (Windows+NT+5.1)"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:"Windows+NT+5.1|0D 0A|"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2009486; classtype:trojan-activity; sid:2009486; rev:9;)

new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pingbed/Downbot User-Agent (Windows+NT+5.1)"; flow:established,to_server; content:"Windows+NT+5"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2009486; classtype:trojan-activity; sid:2009486; rev:11;)

The most common issue is that a client sends a legit User Agent including "Windows NT 5.1", which the server then encodes in a cookie as "Windows+NT+5.1".  When the client sends the cookie containing that, it's flagged by this rule.  Is there a reason the "content:"User-Agent|3a|"" constraint was removed from the original rule?

-Will


More information about the Emerging-sigs mailing list