#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sogou.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"User-Agent|3a| SogouIME?"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:trojan-activity; sid:2008500; rev:8;)

Added 2017-04-04 18:14:33 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sogou.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"User-Agent|3a| SogouIME?"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:trojan-activity; sid:2008500; rev:8;)

Added 2017-02-03 17:09:18 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"User-Agent|3a| SogouIME?"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:trojan-activity; sid:2008500; rev:6;)

Added 2011-12-15 18:09:37 UTC

This rule seems to generate false positives for the application "Sogou Input" - Can someone check if this rule really catches malware?

-- SomeDude - 2016-06-13

Websense has listed sogoul.com as a threat because they have distributed spyware, can you confirm that the traffic is indeed coming from "Sogou Input" app and not another app on the system? If pcap is available, please send to support@emergingthreats.net and reference this SID.

-- TravisGreen - 2016-06-13


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Sogoul.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"User-Agent|3a| SogouIME?"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:trojan-activity; sid:2008500; rev:6;)

Added 2011-10-12 19:25:15 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Sogoul.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"User-Agent|3a| SogouIME?"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008500; sid:2008500; rev:6;)

Added 2011-09-14 22:38:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Sogoul.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"User-Agent|3a| SogouIME?"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Sogou; sid:2008500; rev:6;)

Added 2011-02-04 17:27:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Sogoul.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: SogouIME?"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Sogou; sid:2008500; rev:4;)

Added 2009-11-25 11:39:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Sogoul.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: SogouIME?"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Sogou; sid:2008500; rev:4;)

Added 2009-11-25 11:39:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: SogouIME?"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2008500; rev:2;)

Added 2009-02-09 22:22:08 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"|0d 0a|User-Agent\: SogouIME?"; classtype:trojan-activity; sid:2008500; rev:1;)

Added 2008-08-12 10:39:57 UTC


Topic revision: r3 - 2016-06-13 - TravisGreen
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats