[Emerging-Sigs] Question on sid:2018358

Nathan nathan at packetmail.net
Tue May 5 09:11:57 HDT 2020


MSIE 8 used Mozilla/4.0 instead of Mozilla/5.0, in the case here, this
browser is spoofed and is not legitimate.  MSIE 9+ uses Mozilla/5.0
until we ended upw ith the terse User-Agents used today with Edge.

In your flow snippet below Mozilla/5.0 is incorrect in the context of
MSIE 8.  Also that UA is very old, if it were legitimate, and not
improperly spoofed.

Since it's on TCP 80, plaintext assumed, maybe look into the PCAP?
// The following results are from Farsight Security, Inc.'s Passive DNS
// system, for more information about this product please see
// https://dnsdb.info and https://www.farsightsecurity.com

m225.absolute.com. IN A 209.53.113.225
ccpostqa.absolute.com. IN A 209.53.113.225
d.namequery.com. IN A 209.53.113.225
si.namequery.com. IN A 209.53.113.225
;;; Returned 4 RRs in 0.04 seconds.
;;; DNSDB

Cheers,
Nathan

On Tue, 5 May 2020 17:51:49 +0000

Leonard Jacobs <ljacobs at netsecuris.com> wrote:

> What is this signature actually trying to accomplish?
> 
> 
> It fired on the following and trying to determine if it is a false
> positive.  I read the content of the signature but this did not make
> sense for this.
> 
> 
> {"timestamp":"2020-05-05T15:38:58.854536+0000","flow_id":158808685623782,"in_iface":"enp4s0","event_type":"alert","src_ip":"x.x.x.x","src_port":58064,"dest_ip":"209.53.113.225","dest_port":80,"proto":"TCP","tx_id":968,"alert":{"action":"allowed","gid":1,"signature_id":2018358,"rev":9,"signature":"ET
> HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser
> 1","category":"Potentially Bad
> Traffic","severity":2,"metadata":{"updated_at":["2020_03_03"],"created_at":["2014_04_04"],"former_category":["INFO"]}},"http":{"hostname":"209.53.113.225","url":"\/","http_user_agent":"Mozilla\/5.0
> (compatible; MSIE
> 8.0;)","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":1942,"pkts_toclient":1940,"bytes_toserver":339371,"bytes_toclient":299816,"start":"2020-05-05T15:33:31.473574+0000"}}
> 
> Thanks.
> 
> 
> Leonard


More information about the Emerging-sigs mailing list