[Emerging-Sigs] Jorik FakeAV sig

Nathan nathan at packetmail.net
Thu Oct 27 17:36:27 EDT 2011


On Thu, 27 Oct 2011 16:45:23 -0400 waldo kitty <wkitty42 at windstream.net> wrote

> On 10/27/2011 14:50, Packet Hack wrote:
> >    GET /britix/a HTTP/1.1
> >    Accept: */*
> >    Accept-Language: en
> >    User-Agent: Internet Explorer
> >    Host: open-994233.com
> >    Connection: Keep-Alive

> how about a rule (or two) for that obviously fake UA, too ;)

We are already full of win, enabled by default:

emerging-user_agents.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Internet Explorer)";
flow:to_server,established; content:"User-Agent|3a| Internet Explorer|0d 0a|";
http_header; content:!"|0d0a|Host|3a| pnrws.skype.com|0d0a|"; http_header;
reference:url,doc.emergingthreats.net/bin/view/Main/2008052;
classtype:trojan-activity; sid:2008052; rev:10;)

Thanks,
Nathan



More information about the Emerging-sigs mailing list