#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:"User-Agent|3a| InetURL?"; http_header; content:!"www.dell.com"; http_header; content:!"pdfmachine.com"; http_header; content:!"gs.apple.com"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; classtype:trojan-activity; sid:2008374; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Audit, created_at 2010_07_30, updated_at 2017_10_12;)

Added 2017-10-13 16:25:25 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:"User-Agent|3a| InetURL?"; http_header; content:!"www.dell.com"; http_header; content:!"pdfmachine.com"; http_header; content:!"gs.apple.com"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; classtype:trojan-activity; sid:2008374; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Audit, created_at 2010_07_30, updated_at 2017_10_12;)

Added 2017-10-12 16:20:33 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:"User-Agent|3a| InetURL?"; http_header; content:!"www.dell.com"; http_header; content:!"pdfmachine.com"; http_header; content:!"gs.apple.com"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; classtype:trojan-activity; sid:2008374; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

Added 2017-08-07 21:01:32 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:"User-Agent|3a| InetURL?"; http_header; content:!"www.dell.com"; http_header; content:!"pdfmachine.com"; http_header; content:!"gs.apple.com"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; classtype:trojan-activity; sid:2008374; rev:15;)

Added 2011-10-12 19:25:00 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:"User-Agent|3a| InetURL?"; http_header; content:!"www.dell.com"; http_header; content:!"pdfmachine.com"; http_header; content:!"gs.apple.com"; http_header; threshold: type limit, count 2, track by_src, seconds 300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; sid:2008374; rev:15;)

Added 2011-09-14 22:38:27 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:"User-Agent|3a| InetURL?"; http_header; content:!"www.dell.com"; http_header; content:!"pdfmachine.com"; http_header; content:!"gs.apple.com"; http_header; threshold: type limit, count 2, track by_src, seconds 300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008374; rev:15;)

Added 2011-07-29 20:54:26 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:"User-Agent|3a| InetURL?"; http_header; content:!"www.dell.com"; http_header; content:!"pdfmachine.com"; http_header; content:!"gs.apple.com"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008374; rev:13;)

Added 2011-02-04 17:27:32 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: InetURL?"; content:!"www.dell.com"; content:!"pdfmachine.com"; content:!"gs.apple.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008374; rev:9;)

Added 2010-08-19 16:58:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: InetURL?"; content:!"www.dell.com"; content:!"pdfmachine.com"; content:!"gs.apple.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008374; rev:9;)

Added 2010-08-19 16:58:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: InetURL?"; content:!"www.dell.com"; content:!"pdfmachine.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008374; rev:8;)

Added 2009-10-19 09:15:44 UTC

False positive induced by using the desktop alert rss feed application for Automotive News: desktopalerts.crain.com. Please see packet below: 000 : 47 45 54 20 2F 74 6E 70 6C 5F 61 6E 2F 61 6C 65 GET /tnpl_an/ale 010 : 72 74 73 2F 75 73 65 72 73 2F 35 2F 33 2F 37 2F rts/users/5/3/7/ 020 : 38 2F 61 6C 65 72 74 73 2E 74 78 74 3F 63 74 69 8/alerts.txt?cti 030 : 6D 65 62 3D 31 30 32 30 32 30 30 39 31 33 30 35 meb=102020091305 040 : 31 39 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 19 HTTP/1.1..Use 050 : 72 2D 41 67 65 6E 74 3A 20 49 6E 65 74 55 52 4C r-Agent: InetURL? 060 : 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 64 65 73 6B /1.0..Host: desk 070 : 74 6F 70 61 6C 65 72 74 73 2E 63 72 61 69 6E 2E topalerts.crain. 080 : 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A com..Connection: 090 : 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A Keep-Alive....

-- ParkerC - 20 Oct 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: InetURL?"; content:!"www.dell.com"; content:!"pdfmachine.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008374; rev:8;)

Added 2009-10-19 09:15:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: InetURL?"; content:!"www.dell.com"; content:!"pdfmachine.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2008374; rev:6;)

Added 2009-03-15 21:00:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: InetURL?"; content:!"www.dell.com"; content:!"pdfmachine.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2008374; rev:6;)

Added 2009-03-15 21:00:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:!"www.dell.com"; content:"|0d 0a|User-Agent\: InetURL?"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2008374; rev:5;)

Added 2009-02-09 22:22:08 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:!"www.dell.com"; content:"|0d 0a|User-Agent\: InetURL?"; classtype:trojan-activity; sid:2008374; rev:4;)

Added 2008-07-23 10:00:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:!"www.dell.com"; content:"|0d 0a|User-Agent\: InetURL?"; classtype:trojan-activity; sid:2008374; rev:4;)

Added 2008-07-23 10:00:23 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:!"www.dell.com"; content:"|0d 0a|User-Agent\: InetURL?"; classtype:trojan-activity; sid:2008374; rev:3;)

Added 2008-07-22 23:00:21 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InetURL?)"; flow:established,to_server; content:!"www.dell.com"; content:"|0d 0a|User-Agent\: InetURL?"; classtype:trojan-activity; sid:2008374; rev:3;)

Added 2008-07-22 23:00:21 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InetURL?)"; flow: established; content:"|0d 0a|User-Agent\: InetURL?"; classtype:trojan-activity; sid:2008374; rev:3;)

Added 2008-07-22 15:00:21 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InetURL?)"; flow: established; content:"|0d 0a|User-Agent\: InetURL?"; classtype:trojan-activity; sid:2008374; rev:3;)

Added 2008-07-22 15:00:21 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InetURL?)"; flow: established; content:"|0d 0a|User-Agent\: InetURL?|0d 0a|"; classtype:trojan-activity; sid:2008374; rev:2;)

Added 2008-07-14 18:00:21 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InetURL?)"; flow: established; content:"|0d 0a|User-Agent\: InetURL?|0d 0a|"; classtype:trojan-activity; sid:2008374; rev:2;)

Added 2008-07-14 18:00:21 UTC


alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InetURL?)"; flow: established; content:"User-Agent\: InetURL?|0d 0a|"; classtype:trojan-activity; sid:2008374; rev:1;)

Added 2008-07-07 15:12:24 UTC



This topic: Main > 2008374
Topic revision: r2 - 2009-10-20 - ParkerC
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats