[Emerging-Sigs] fakeav sig

harry.tuttle harry.tuttle at zoho.com
Thu Dec 20 08:26:52 HAST 2012

This covers a payload that seems to be making the rounds this week. I'm not sure how unique that UAS is all on it's own, but, as written, I've had no FP after almost 48 hours.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV whatever";flow:established,to_server; content:"User-Agent: Mozilla/5.0(compatible|3b| MSIE 9.0|3b| Windows NT 7.1|3b| Trident/5.0)|0d 0a|Host|3a20|"; depth:83; http_header; content:!"Accept|3a 20|";http_header; reference:md5,dd4d18c07e93c34d082dab57a38f1b86; reference:md5,5a864ccfeee9c0c893cfdc35dd8820a6; classtype:trojan-activity; sid:nnnnnnn; rev:1;)

There is coverage with 2805614 in pro, but, if the first couple of http requests are blocked or don't work for whatever reason, then the traffic that triggers 2805614 doesn't seem to ever be generated. This rule should catch it all.


More information about the Emerging-sigs mailing list