[Emerging-Sigs] Are these FPs or not?

Christopher Granger chrisgrangerx at gmail.com
Wed Dec 12 19:01:05 HAST 2012


Its likely not Ponmocup, maybe some search toolbar, but you should
investigate further to be on the safe side
On Dec 12, 2012 11:13 PM, "harry.tuttle" <harry.tuttle at zoho.com> wrote:

> **
> In my experience, the UAS is seen only with the traffic generated by the
> malware on an infected machine; the UAS is not changed for all traffic.
> This rule does false sometimes. I have a couple of negations added locally,
> but I haven't seen yours before.
>
> Lately, this UAS is seen with Cridex, and it has been a great rule for
> detecting that.
>
> HTH,
> Harry
>
> ---- On Wed, 12 Dec 2012 13:29:23 -0800 *Russell Fulton <
> r.fulton at auckland.ac.nz>* wrote ----
>
>
> ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup    2012801
>
> WE have one machine on our wireless network which is repeatedly triggering
> this alert on what are clearly legitimate queries including things like
> this:
>
> GET /complete/search?output=firefox&hl=en&q=sion HTTP/1.1
> Connection: close
> Host: suggestqueries.google.com
> User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
>
> On an infected machine does the useragent string get used on traffic
> generated by the malware or does the default UA get changed?
>
> Russell
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121213/e002268c/attachment-0001.html>


More information about the Emerging-sigs mailing list