[Emerging-Sigs] Are these FPs or not?
scastle at bouldercounty.org
Wed Dec 12 13:51:18 HAST 2012
In the past, the systems I have seen that triggered this alert were definitely infected, so I'd be leaning toward TP.
Our cleanup was wipe and reinstall.
Data Security Mgr, Boulder County IT
From: emerging-sigs-bounces at lists.emergingthreats.net [mailto:emerging-sigs-bounces at lists.emergingthreats.net] On Behalf Of Russell Fulton
Sent: Wednesday, December 12, 2012 14:29
To: Emerging Threats Threats Signatures
Subject: [Emerging-Sigs] Are these FPs or not?
ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup 2012801
WE have one machine on our wireless network which is repeatedly triggering this alert on what are clearly legitimate queries including things like this:
GET /complete/search?output=firefox&hl=en&q=sion HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
On an infected machine does the useragent string get used on traffic generated by the malware or does the default UA get changed?
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
More information about the Emerging-sigs