#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a|"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002949; classtype:policy-violation; sid:2002949; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:56:21 UTC


#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a|"; http_header; nocase; within:20; pcre:"/User-Agent\x3a[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002949; classtype:policy-violation; sid:2002949; rev:8;)

Added 2011-10-12 19:12:35 UTC


#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a|"; http_header; nocase; within:20; pcre:"/User-Agent\x3a[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; classtype:policy-violation; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002949; sid:2002949; rev:8;)

Added 2011-09-14 22:25:31 UTC


#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a|"; http_header; nocase; within:20; pcre:"/User-Agent\x3a[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; classtype:policy-violation; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002949; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Windows_Updates; sid:2002949; rev:8;)

Added 2011-02-04 17:22:09 UTC


#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; content:"Host\:"; nocase; within:20; pcre:"/User-Agent\:[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002949; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Windows_Updates; sid:2002949; rev:6;)

Added 2009-02-11 19:24:43 UTC


#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; content:"Host\:"; nocase; within:20; pcre:"/User-Agent\:[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002949; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Windows_Updates; sid:2002949; rev:6;)

Added 2009-02-11 19:24:43 UTC


#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; content:"Host\:"; nocase; within:20; pcre:"/User-Agent\:[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; classtype:policy-violation; sid:2002949; rev:5;)

Added 2008-01-31 18:48:10 UTC


#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; content:"Host\:"; nocase; within:20; pcre:"/User-Agent\:[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; classtype:policy-violation; sid:2002949; rev:5;)

Added 2008-01-31 18:48:10 UTC


#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; content:"Host\:"; nocase; within:20; pcre:"/User-Agent\:[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; classtype:policy-violation; sid:2002949; rev:4;)



Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats