alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; http_header; content:!"autodesk.com"; http_header; reference:url,doc.emergingthreats.net/2010908; classtype:trojan-activity; sid:2010908; rev:7;)

Added 2017-04-03 18:13:41 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; http_header; content:!"autodesk.com"; http_header; reference:url,doc.emergingthreats.net/2010908; classtype:trojan-activity; sid:2010908; rev:6;)

Added 2015-02-11 19:03:11 UTC

Need to be Excluded: motd.api.glympse.com gom.com

-- JanHartmann - 2015-04-01

This is an inbound rule, are you sure there isn't something suspicious going on? If you are seeing hits on this rule originating from clients inside your network could you check to make sure your EXTERNAL_NET var is configured to exclude address space inside your HOME_NET? If it's not too much trouble, would you be able to provide me a pcap with example traffic? dhuss <at> emergingthreats.net

-- DarienH - 2015-04-01


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; reference:url,doc.emergingthreats.net/2010908; classtype:trojan-activity; sid:2010908; rev:6;)

Added 2011-12-15 18:09:45 UTC

This declares an alert when a malicious GET is sent, regardless of what happens after that. So this is a false positive if you use it on anything intentionally exposed to the public internet (because just because the bad guys sent me a horked User-Agent doesn't mean further bad things happened.)

-- RodneyThayer - 2014-06-18

This rule will actually work on POST/HEAD/etc requests as well, and you are correct that seeing this does not necessarily mean all traffic from the external client is malicious. We do see a lot of malicious content utilizing this UA though, which is why this rule exists. If you are seeing a lot of false positives with the same or similar type of traffic feel free to post a pcap here or send to dhuss -at- emergingthreats -dot- net and we can take a look to see if this needs modified!

-- DarienH - 2014-06-18


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent Inbound Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; reference:url,doc.emergingthreats.net/2010908; classtype:trojan-activity; sid:2010908; rev:6;)

Added 2011-10-12 19:30:52 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent Inbound Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010908; sid:2010908; rev:6;)

Added 2011-04-26 18:47:17 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent Inbound - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; classtype:trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; reference:url,doc.emergingthreats.net/2010908; sid:2010908; rev:5;)

Added 2011-02-04 17:30:35 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent Inbound - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/5.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; reference:url,doc.emergingthreats.net/2010908; sid:2010908; rev:2;)

Added 2010-03-08 23:15:50 UTC


Topic revision: r5 - 2015-04-01 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats