alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Peach C++ Library User Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| Peach"; nocase; http_header; content:!"Tree"; http_header; within:4; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013056; rev:4; metadata:created_at 2011_06_17, updated_at 2011_06_17;)

Added 2017-08-07 21:06:17 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Peach C++ Library User Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| Peach"; nocase; http_header; content:!"User-Agent|3a| PeachTree?"; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013056; rev:3;)

Added 2011-10-12 19:35:51 UTC

This rule is triggering on use of the new Peach mobile app via the following:

.User-Agent:.Peach/1.0.12.CFNetwork/758.3.11.Darwin/15.4.0

-- KeithMcDuffee - 2016-01-28


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Peach C++ Library User Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| Peach"; nocase; http_header; content:!"User-Agent|3a| PeachTree?"; http_header; classtype:attempted-recon; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; sid:2013056; rev:3;)

Added 2011-07-25 22:46:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Peach C++ Library User Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| Peach"; nocase; http_header; classtype:attempted-recon; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; sid:2013056; rev:2;)

Added 2011-06-17 13:31:11 UTC


Topic revision: r2 - 2016-01-28 - KeithMcDuffee
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats