[Emerging-Sigs] FP's on 2009486 ET TROJAN Pingbed/Downbot User-Agent (Windows+NT+5.1)

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Oct 20 09:04:35 EDT 2011

Thanks for the report Will. 

The UA string was dropped from new snorts and suricata just for performance. I see the issue though, I'll get it back in ther eand we'll make sure to stay out of the cookie on this match. 



On Oct 20, 2011, at 8:52 AM, Will Cladek wrote:

> I'm getting a high number of false positives on the following rule, updated yesterday:
> old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pingbed User-Agent (Windows+NT+5.1)"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:"Windows+NT+5.1|0D 0A|"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2009486; classtype:trojan-activity; sid:2009486; rev:9;)
> new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pingbed/Downbot User-Agent (Windows+NT+5.1)"; flow:established,to_server; content:"Windows+NT+5"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2009486; classtype:trojan-activity; sid:2009486; rev:11;)
> The most common issue is that a client sends a legit User Agent including "Windows NT 5.1", which the server then encodes in a cookie as "Windows+NT+5.1".  When the client sends the cookie containing that, it's flagged by this rule.  Is there a reason the "content:"User-Agent|3a|"" constraint was removed from the original rule?
> -Will
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Emerging-sigs mailing list