[Emerging-Sigs] Jorik FakeAV sig

waldo kitty wkitty42 at windstream.net
Sat Oct 29 23:13:47 EDT 2011


On 10/27/2011 17:36, Nathan wrote:
> On Thu, 27 Oct 2011 16:45:23 -0400 waldo kitty<wkitty42 at windstream.net>  wrote
>
>> On 10/27/2011 14:50, Packet Hack wrote:
>>>     GET /britix/a HTTP/1.1
>>>     Accept: */*
>>>     Accept-Language: en
>>>     User-Agent: Internet Explorer
>>>     Host: open-994233.com
>>>     Connection: Keep-Alive
>
>> how about a rule (or two) for that obviously fake UA, too ;)
>
> We are already full of win, enabled by default:

really?

> emerging-user_agents.rules:alert tcp $HOME_NET any ->  $EXTERNAL_NET
> $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Internet Explorer)";
> flow:to_server,established; content:"User-Agent|3a| Internet Explorer|0d 0a|";
> http_header; content:!"|0d0a|Host|3a| pnrws.skype.com|0d0a|"; http_header;
> reference:url,doc.emergingthreats.net/bin/view/Main/2008052;
> classtype:trojan-activity; sid:2008052; rev:10;)

that does seem to support alerting on that particular UA so why didn't it fire 
on that traffic? hummm :?

(PS: i'm coming off of one 12 hour shift after one and having another one in a 
few hours :? :(  yeah, playing catch up...)



More information about the Emerging-sigs mailing list