alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Presto)"; flow:established,to_server; content:"User-Agent|3a| Opera/10.60 Presto/2.2.30"; http_header; content:!"Accept"; http_header; classtype:trojan-activity; sid:2012491; rev:7;)

Added 2011-10-12 19:34:29 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Presto)"; flow:established,to_server; content:"User-Agent|3a| Opera/10.60 Presto/2.2.30"; http_header; content:!"Accept"; http_header; classtype:trojan-activity; sid:2012491; rev:7;)

Added 2011-09-13 15:34:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Presto)"; flow:established,to_server; content:"User-Agent|3a| Opera/10.60 Presto/2.2.30"; http_header; content:!"Accept"; http_header; classtype:trojan-activity; sid:2012491; rev:7;)

Added 2011-09-13 14:14:49 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spyeye Presto UA Download Request"; flow:established,to_server; content:"User-Agent|3a| Opera/10.60 Presto/2.2.30"; http_header; content:!"Accept"; http_header; classtype:trojan-activity; sid:2012491; rev:6;)

Added 2011-07-02 23:01:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spyeye Presto UA Download Request"; flow:established,to_server; content:"User-Agent|3a| Opera/10.60 Presto/2.2.30"; http_header; content:!"Accept"; http_header; classtype:trojan-activity; sid:2012491; rev:6;)

Added 2011-07-02 01:12:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spyeye Presto UA Download Request"; flow:established,to_server; content:"Opera/"; http_header; content:"Presto/"; http_header; content:!"Accept|3a| "; http_header; classtype:trojan-activity; sid:2012491; rev:3;)

Added 2011-06-30 23:31:13 UTC

False positives on requests with large Cookie value that overflow 1500 bytes, if the http_header check fails to cross packet boundaries for some reason (I'm looking into that; it may be Snort version-dependent). Please consider whether you can use Accept-Encoding: or Accept-Charset: instead. Opera places these before Cookie:, and Accept: after.

-- RichGraves - 01 Jul 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spyeye Presto UA Download Request"; flow:established,to_server; content: "User-Agent|3a| Opera/10.60 Presto/2.2.30"; http_header; classtype:trojan-activity; sid:2012491; rev:2;)

Added 2011-03-12 13:00:47 UTC


Topic revision: r2 - 2011-07-01 - RichGraves
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats