[Emerging-Sigs] Are these FPs or not?

harry.tuttle harry.tuttle at zoho.com
Wed Dec 12 12:41:02 HAST 2012


In my experience, the UAS is seen only with the traffic generated by the malware on an infected machine; the UAS is not changed for all traffic. This rule does false sometimes. I have a couple of negations added locally, but I haven't seen yours before.

Lately, this UAS is seen with Cridex, and it has been a great rule for detecting that.

HTH,
Harry

---- On Wed, 12 Dec 2012 13:29:23 -0800 Russell Fulton <r.fulton at auckland.ac.nz> wrote ---- 



ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup    2012801 
 
WE have one machine on our wireless network which is repeatedly triggering this alert on what are clearly legitimate queries including things like this: 
 
GET /complete/search?output=firefox&hl=en&q=sion HTTP/1.1 
Connection: close 
Host: suggestqueries.google.com 
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) 
 
On an infected machine does the useragent string get used on traffic generated by the malware or does the default UA get changed? 
 
Russell 
 
_______________________________________________ 
Emerging-sigs mailing list 
Emerging-sigs at lists.emergingthreats.net 
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs 
 
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com 
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current! 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121212/982eb57f/attachment.html>


More information about the Emerging-sigs mailing list