Hi Emerging Threats,<div><br></div><div>What do you think about this to detect Duqu&#39;s UA?</div><div><br></div><div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;W32.Duqu User-Agent&quot;; flow:to_server,established; content:&quot;User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)|0D 0A|”; http_header; fast_pattern:only; reference:url,<a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf">http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf</a>; classtype:trojan-activity; sid:XXXXXXX; rev:1;)</div>
<div><br></div><div>Thank you,</div><div>-Chris</div><div><br></div><div><br></div>