[Emerging-Sigs] fakeav sig

Matt Jonkman jonkman at emergingthreats.net
Thu Dec 20 09:11:54 HAST 2012


Thanks Harry. Tough one here.

We have that exact UA for this family only in the db. But as soon as we
post with this I'm sure something legit will pop up using that UA.

But if we go for the first request uri and UA it'd be better.

I have this as first request for most samples:

/api/test

You seeing the same Harry?

Matt


On Thu, Dec 20, 2012 at 1:26 PM, harry.tuttle <harry.tuttle at zoho.com> wrote:

> This covers a payload that seems to be making the rounds this week. I'm
> not sure how unique that UAS is all on it's own, but, as written, I've had
> no FP after almost 48 hours.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> FakeAV whatever";flow:established,to_server; content:"User-Agent:
> Mozilla/5.0(compatible|3b| MSIE 9.0|3b| Windows NT 7.1|3b| Trident/5.0)|0d
> 0a|Host|3a20|"; depth:83; http_header; content:!"Accept|3a
> 20|";http_header; reference:md5,dd4d18c07e93c34d082dab57a38f1b86;
> reference:md5,5a864ccfeee9c0c893cfdc35dd8820a6; classtype:trojan-activity;
> sid:nnnnnnn; rev:1;)
>
> There is coverage with 2805614 in pro, but, if the first couple of http
> requests are blocked or don't work for whatever reason, then the traffic
> that triggers 2805614 doesn't seem to ever be generated. This rule should
> catch it all.
>
> Regards,
> Harry
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>



-- 

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121220/d500b960/attachment.html>


More information about the Emerging-sigs mailing list