alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:16;)

Added 2011-10-12 19:11:22 UTC

Hello!

Please consider rule modification. Reason: legitimate application with Wise UA detected.

Our Customers are using Yearli Desktop application. Previous name for that application is WinFiler?. Link to approve application name change - http://yearlidesktop.greatland.com/Downloads/YD%203.14.32%20Release%20Notes.pdf

This software was designed by greatland.com corporation. Link to company web site - http://www.greatland.com/category/software+&+online+filing/yearli+desktop.do

PCAP (without confidential information ):

GET /2015/YearliDesktop/UpdateConfig.INI HTTP/1.1 Accept: / User-Agent: Wise Host: winfilerupdate.winfiler.com Connection: Keep-Alive

HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Thu, 07 Apr 2016 20:34:19 GMT Accept-Ranges: bytes ETag: "5523bfdcc91d11:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Thu, 05 Jan 2017 14:46:46 GMT Content-Length: 44 Set-Cookie:

[LatestUpdate] SubDirName?=

GET /2015/YearliDesktop/2016-03-07_Q4U6/versions.ini HTTP/1.1 Accept: / User-Agent: Wise Host: winfilerupdate.winfiler.com Connection: Keep-Alive Cookie:

DATA

Thanks!

-- MaksymParpaley - 2017-01-06

My Maksym, this is a POLICY rule that is very dependent on your organizations policies. If your organization allows applications such as these then you should disable the rules or suppress the alerts.

-- DarienH - 2017-01-06

Make sense. Thank you.

-- MaksymParpaley - 2017-01-10


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; sid:2002167; rev:16;)

Added 2011-09-14 21:27:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Wise; sid:2002167; rev:16;)

Added 2011-02-04 17:21:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Wise; sid:2002167; rev:13;)

Added 2009-02-11 19:24:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Wise; sid:2002167; rev:13;)

Added 2009-02-11 19:24:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;)

Added 2008-03-12 13:13:30 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;)

Added 2008-03-12 13:13:30 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;)

Added 2008-03-12 13:12:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:12;)

Added 2008-03-12 13:12:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malware - Wise User Agent (Wise)"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:11;)

Added 2008-03-09 15:12:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malware - Wise User Agent (Wise)"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:11;)

Added 2008-03-09 15:12:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spyware - Wise User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:9;)

Added 2008-01-28 17:24:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spyware - Wise User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:9;)

Added 2008-01-28 17:24:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Possible Spyware - Wise User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:8;)



Topic revision: r4 - 2017-01-10 - MaksymParpaley
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats