alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002970; rev:8;)

Added 2009-02-09 21:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002970; rev:8;)

Added 2009-02-09 21:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002970; rev:8;)

Added 2009-02-09 21:29:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002970; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002970; rev:8;)

Added 2009-02-09 21:29:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:7;)

Added 2008-05-09 17:01:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"WinHTTP"; within:150; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:7;)

Added 2008-05-09 17:01:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:6;)

Added 2008-02-01 14:32:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:6;)

Added 2008-02-01 14:32:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:5;)

Added 2008-01-28 17:24:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:5;)

Added 2008-01-28 17:24:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; content:!"Host\: myavert.avertlabs.com"; classtype:trojan-activity; sid:2002970; rev:4;)

Added 2007-07-27 03:31:17 UTC

Negating avert labs false positive

-- MattJonkman - 27 Jul 2007


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE VB WinHTTP? User Agent - Possible Malware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinHTTP/i"; classtype:trojan-activity; sid:2002970; rev:3;)



Topic revision: r2 - 2007-07-27 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats