[Emerging-Sigs] suspicious UA sig

harry.tuttle harry.tuttle at zoho.com
Wed Dec 19 12:19:40 HAST 2012


Saw this "vb   wininet" (3 spaces) UA in some traffic from a couple of weeks ago. I haven't recovered an executable, but you might want to see what it turns up in your sandnet.

Regards,
Harry
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS suspicious "vb   wininet" user agent"; flow:established,to_server; content:"User-Agent|3a 20|vb|20 20 20|wininet|0d 0a|"; http_header; classtype:bad-unknown; sid:nnnnnnn; rev:1;)
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121219/80da92de/attachment.html>


More information about the Emerging-sigs mailing list