[Emerging-Sigs] Are these FPs or not?
harry.tuttle at zoho.com
Wed Dec 12 12:41:02 HAST 2012
In my experience, the UAS is seen only with the traffic generated by the malware on an infected machine; the UAS is not changed for all traffic. This rule does false sometimes. I have a couple of negations added locally, but I haven't seen yours before.
Lately, this UAS is seen with Cridex, and it has been a great rule for detecting that.
---- On Wed, 12 Dec 2012 13:29:23 -0800 Russell Fulton <r.fulton at auckland.ac.nz> wrote ----
ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup 2012801
WE have one machine on our wireless network which is repeatedly triggering this alert on what are clearly legitimate queries including things like this:
GET /complete/search?output=firefox&hl=en&q=sion HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
On an infected machine does the useragent string get used on traffic generated by the malware or does the default UA get changed?
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs