[Emerging-Sigs] Are these FPs or not?

Castle, Shane scastle at bouldercounty.org
Wed Dec 12 13:51:18 HAST 2012


In the past, the systems I have seen that triggered this alert were definitely infected, so I'd be leaning toward TP.

Our cleanup was wipe and reinstall.

-- 
Shane Castle
Data Security Mgr, Boulder County IT


-----Original Message-----
From: emerging-sigs-bounces at lists.emergingthreats.net [mailto:emerging-sigs-bounces at lists.emergingthreats.net] On Behalf Of Russell Fulton
Sent: Wednesday, December 12, 2012 14:29
To: Emerging Threats Threats Signatures
Subject: [Emerging-Sigs] Are these FPs or not?


ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup	2012801

WE have one machine on our wireless network which is repeatedly triggering this alert on what are clearly legitimate queries including things like this:

GET /complete/search?output=firefox&hl=en&q=sion HTTP/1.1
Connection: close
Host: suggestqueries.google.com
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)

On an infected machine does the useragent string get used on traffic generated by the malware or does the default UA get changed?

Russell 

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


More information about the Emerging-sigs mailing list