[Emerging-Sigs] Question on sid:2018358

Nathan nathan at packetmail.net
Tue May 5 09:11:57 HDT 2020

MSIE 8 used Mozilla/4.0 instead of Mozilla/5.0, in the case here, this
browser is spoofed and is not legitimate.  MSIE 9+ uses Mozilla/5.0
until we ended upw ith the terse User-Agents used today with Edge.

In your flow snippet below Mozilla/5.0 is incorrect in the context of
MSIE 8.  Also that UA is very old, if it were legitimate, and not
improperly spoofed.

Since it's on TCP 80, plaintext assumed, maybe look into the PCAP?
// The following results are from Farsight Security, Inc.'s Passive DNS
// system, for more information about this product please see
// https://dnsdb.info and https://www.farsightsecurity.com

m225.absolute.com. IN A
ccpostqa.absolute.com. IN A
d.namequery.com. IN A
si.namequery.com. IN A
;;; Returned 4 RRs in 0.04 seconds.


On Tue, 5 May 2020 17:51:49 +0000

Leonard Jacobs <ljacobs at netsecuris.com> wrote:

> What is this signature actually trying to accomplish?
> It fired on the following and trying to determine if it is a false
> positive.  I read the content of the signature but this did not make
> sense for this.
> {"timestamp":"2020-05-05T15:38:58.854536+0000","flow_id":158808685623782,"in_iface":"enp4s0","event_type":"alert","src_ip":"x.x.x.x","src_port":58064,"dest_ip":"","dest_port":80,"proto":"TCP","tx_id":968,"alert":{"action":"allowed","gid":1,"signature_id":2018358,"rev":9,"signature":"ET
> HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser
> 1","category":"Potentially Bad
> Traffic","severity":2,"metadata":{"updated_at":["2020_03_03"],"created_at":["2014_04_04"],"former_category":["INFO"]}},"http":{"hostname":"","url":"\/","http_user_agent":"Mozilla\/5.0
> (compatible; MSIE
> 8.0;)","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":1942,"pkts_toclient":1940,"bytes_toserver":339371,"bytes_toclient":299816,"start":"2020-05-05T15:33:31.473574+0000"}}
> Thanks.
> Leonard

More information about the Emerging-sigs mailing list