#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"|5C|"; http_user_agent; depth:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/Hi"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; classtype:bad-unknown; sid:2010722; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:03:51 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"|5C|"; http_header; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/iH"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; classtype:bad-unknown; sid:2010722; rev:7;)

Added 2012-06-22 00:48:42 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"|5C|"; http_header; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/iH"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; classtype:bad-unknown; sid:2010722; rev:6;)

Added 2011-10-12 19:30:25 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"|5C|"; http_header; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/iH"; classtype:bad-unknown; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; sid:2010722; rev:6;)

Added 2011-09-14 22:43:36 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"|5C|"; http_header; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/iH"; classtype:bad-unknown; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Backslash; sid:2010722; rev:6;)

Added 2011-02-04 17:30:21 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"|0d 0a|User-Agent|3a|"; nocase; content:"|5C|"; within:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/i"; classtype:bad-unknown; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Backslash; sid:2010722; rev:4;)

Added 2010-07-29 22:05:00 UTC

Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.

-- RussellFulton - 22 Aug 2010

Sophos updates tickle this sig.

GET /cidsync.upd HTTP/1.0
User-Agent: UA a="Mac" c="UOA194887" u="sopappp01\SophosOSXUser" v="1.0.20" 
Connection: close
Host: sophos.auckland.ac.nz

-- RussellFulton - 22 Aug 2010


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"|0d 0a|User-Agent|3a|"; nocase; content:"|5C|"; within:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/i"; classtype:bad-unknown; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Backslash; sid:2010722; rev:4;)

Added 2010-07-29 22:05:00 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"|5C|"; within:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/i"; classtype:bad-unknown; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Backslash; sid:2010722; rev:3;)

Added 2010-01-27 17:06:54 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"|5C|"; within:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/i"; classtype:bad-unknown; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Backslash; sid:2010722; rev:3;)

Added 2010-01-27 17:06:54 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"|5C|"; within:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; pcre:"/User-Agent:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/i"; classtype:bad-unknown; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Backslash; sid:2010722; rev:2;)

Added 2010-01-27 12:57:41 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"|5C|"; within:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; pcre:"/User-Agent:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/i"; classtype:bad-unknown; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Backslash; sid:2010722; rev:2;)

Added 2010-01-27 12:57:41 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"|5C|"; within:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; pcre:"/User-Agent:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/i"; classtype:bad-unknown; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; sid:2010722; rev:1;)

Added 2010-01-27 12:01:14 UTC


Topic revision: r3 - 2010-08-23 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats