alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Farfli User Agent Detected"; flow:established,to_server; content:"/rpt"; http_uri; fast_pattern; content:"User-Agent|3a| "; http_header; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/^User-Agent\x3a [a-z0-9]{92}/Hmi"; reference:url,doc.emergingthreats.net/2007646; classtype:trojan-activity; sid:2007646; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:00:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli User Agent Detected"; flow:established,to_server; content:"/rpt"; http_uri; fast_pattern; content:"User-Agent|3a| "; http_header; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/^User-Agent\x3a [a-z0-9]{92}/Hmi"; reference:url,doc.emergingthreats.net/2007646; classtype:trojan-activity; sid:2007646; rev:6;)

Added 2011-10-12 19:23:30 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli User Agent Detected"; flow:established,to_server; content:"/rpt"; http_uri; fast_pattern; content:"User-Agent|3a| "; http_header; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/^User-Agent\x3a [a-z0-9]{92}/Hmi"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007646; sid:2007646; rev:6;)

Added 2011-09-14 22:37:04 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli User Agent Detected"; flow:established,to_server; content:"/rpt"; http_uri; fast_pattern; content:"User-Agent|3a| "; http_header; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/^User-Agent\x3a [a-z0-9]{92}/Hmi"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007646; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Farfli; sid:2007646; rev:6;)

Added 2011-02-04 17:26:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli User Agent Detected"; flow:established,to_server; uricontent:"/rpt"; content:"|0d 0a|User-Agent\: "; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/\x0a\x0aUser-Agent\: [a-z0-9]{92}/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007646; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Farfli; sid:2007646; rev:5;)

Added 2010-08-23 13:46:26 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli User Agent Detected"; flow:established,to_server; uricontent:"/rpt"; content:"|0d 0a|User-Agent\: "; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/\x0a\x0aUser-Agent\: [a-z0-9]{92}/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007646; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Farfli; sid:2007646; rev:5;)

Added 2010-08-23 13:46:26 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli User Agent Detected"; flow:established,to_server; uricontent:"/rpt"; content:"|0d 0a|User-Agent\: "; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/\x0a\x0aUser-Agent\: [a-z0-9]{92}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007646; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Farfli; sid:2007646; rev:4;)

Added 2009-02-12 18:21:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli User Agent Detected"; flow:established,to_server; uricontent:"/rpt"; content:"|0d 0a|User-Agent\: "; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/\x0a\x0aUser-Agent\: [a-z0-9]{92}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007646; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Farfli; sid:2007646; rev:4;)

Added 2009-02-12 18:21:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli User Agent Detected"; flow:established,to_server; uricontent:"/rpt"; content:"|0d 0a|User-Agent\: "; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/\x0a\x0aUser-Agent\: [a-z0-9]{92}/Ui"; classtype:trojan-activity; sid:2007646; rev:3;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli User Agent Detected"; flow:established,to_server; uricontent:"/rpt"; content:"|0d 0a|User-Agent\: "; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/\x0a\x0aUser-Agent\: [a-z0-9]{92}/Ui"; classtype:trojan-activity; sid:2007646; rev:3;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Farfli User Agent Detected"; flow:established,to_server; uricontent:"/rpt"; content:"|0d 0a|User-Agent\: "; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/\x0a\x0aUser-Agent\: [a-z0-9]{92}/Ui"; classtype:trojan-activity; sid:2007646; rev:2;)

Added 2007-11-02 05:31:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Farfli User Agent Detected"; flow:established,to_server; uricontent:"/rpt"; content:"|0d 0a|User-Agent\: "; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/\x0a\x0aUser-Agent\: [a-z0-9]{92}/Ui"; classtype:trojan-activity; sid:2007646; rev:2;)

Added 2007-11-02 05:31:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Farfli Useragent Detected"; flow:established,to_server; uricontent:"/rpt"; content:"|0d 0a|User-Agent\: "; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/\x0a\x0aUser-Agent\: [a-z0-9]{92}/Ui"; classtype:trojan-activity; sid:2007646; rev:1;)

Added 2007-10-29 04:16:44 UTC

This farfli thing has been coming through the sandnet quite a bit, but the only thing really unique has been it's user agent. Quite frustrating. Looks like a base64 encoded long string, like over 90 characters. No whitespace, no punctuation. A request looks like so:

GET hxxp://tmp.farfly.org/rpt5p60000

with a UA of

UqUrSiQ4HkOiRIoYiuF39PMVPVs36YskS2R7oCyfTI86JnOTIxdvk8m0x4QiMFbUhce6T16Ineob3u?

or

OTfNdabjtl9LU9WtC8ycOt1wKks0wEQWbxd17Qmi8sAS5GEFXoyk4IpeeLPh5yU70Z8ixBjhAVUd2l0B18ubFUZh6WHeaBg?

Finally thought of a way to pcre for it without incredible load. Please test and let me know if it causes issues, or falses:

-- MattJonkman - 29 Oct 2007


Topic revision: r2 - 2007-10-29 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats