alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:".exe"; http_user_agent; fast_pattern:only; nocase; pcre:"/\.exe$/Vi"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; content:!"vsee.exe"; nocase; http_user_agent; content:!"CTX_"; http_uri; content:!"gfi.com|0d 0a|"; http_header; content:!"pandasoftware.com"; http_header; content:!"lnssatt.exe"; http_header; metadata: former_category POLICY; classtype:trojan-activity; sid:2013224; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Audit, created_at 2011_07_07, updated_at 2017_10_12;)

Added 2017-10-13 16:25:25 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:".exe"; http_user_agent; fast_pattern:only; nocase; pcre:"/\.exe$/Vi"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; content:!"vsee.exe"; nocase; http_user_agent; content:!"CTX_"; http_uri; content:!"gfi.com|0d 0a|"; http_header; content:!"pandasoftware.com"; http_header; content:!"lnssatt.exe"; http_header; metadata: former_category POLICY; classtype:trojan-activity; sid:2013224; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Audit, created_at 2011_07_07, updated_at 2017_10_12;)

Added 2017-10-12 16:20:33 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:".exe"; http_user_agent; fast_pattern:only; nocase; pcre:"/\.exe$/Vi"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; content:!"vsee.exe"; nocase; http_user_agent; content:!"CTX_"; http_uri; content:!"gfi.com|0d 0a|"; http_header; content:!"pandasoftware.com"; http_header; content:!"lnssatt.exe"; http_header; classtype:trojan-activity; sid:2013224; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_07_07, updated_at 2016_12_29;)

Added 2017-08-07 21:06:30 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:".exe"; http_user_agent; fast_pattern:only; nocase; pcre:"/\.exe$/Vi"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; content:!"vsee.exe"; nocase; http_user_agent; content:!"CTX_"; http_uri; content:!"gfi.com|0d 0a|"; http_header; content:!"pandasoftware.com"; http_header; content:!"lnssatt.exe"; http_header; classtype:trojan-activity; sid:2013224; rev:13;)

Added 2016-12-29 17:29:13 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:".exe"; http_user_agent; fast_pattern:only; nocase; pcre:"/\.exe$/Vi"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; content:!"vsee.exe"; nocase; http_user_agent; content:!"CTX_"; http_uri; content:!"update.gfi.com|0d 0a|"; http_header; content:!"pandasoftware.com"; http_header; content:!"lnssatt.exe"; http_header; classtype:trojan-activity; sid:2013224; rev:12;)

Added 2015-03-16 19:34:53 UTC

False positive for updated version of GFI Languard:

GET /lnsupdate/index.txt HTTP/1.1\r\n User-Agent: lanss.exe\r\n Host: software.gfi.com\r\n Connection: Keep-Alive\r\n Cache-Control: no-cache\r\n \r\n [Full request URI: http://software.gfi.com/lnsupdate/index.txt] [HTTP request 1/1]

-- TrevorPedersen - 2016-08-10

Please update the rule.

Now GFI update server is : software.gfi.com please change "update.gfi.com|0d 0a|" to ".gfi.com|0d 0a|"

-- MaksymParpaley - 2016-12-26

changing, thank you!

-- TravisGreen - 2016-12-29


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:".exe"; http_user_agent; fast_pattern:only; nocase; pcre:"/\.exe$/Vi"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; content:!"vsee.exe"; nocase; http_user_agent; content:!"CTX_"; http_uri; content:!"update.gfi.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013224; rev:11;)

Added 2014-11-26 17:15:49 UTC

Looks like there are false positives with Panda Antivirus:

GET /connectiontest.html HTTP/1.1
User-Agent: C:\Program Files\Panda Security\WAC\PsCtrlS.exe
Host: proinfo.pandasoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

-- DavidSchweikert - 2014-12-17

Getting multiple FP's on GFI Languard "User-Agent: lnssatt.exe" from legit update locations, a few examples:

GET /pub/mozilla.org//firefox/releases/36.0.1/win32/en-US/Firefox%20Setup%2036.0.1.exe HTTP/1.1
User-Agent: lnssatt.exe
Host: ftp.mozilla.org
Connection: Keep-Alive

GET /otn-pub/java/jdk/6u45-b06/jre-6u45-windows-x64.exe HTTP/1.1
User-Agent: lnssatt.exe
Host: download.oracle.com
Connection: Keep-Alive

GET /c/msdownload/update/software/secu/2015/02/excel-x-none_7981cfa80fe47dc6c3f54369bda29330fd90cafb.cab HTTP/1.1
User-Agent: lnssatt.exe
Host: download.windowsupdate.com
Connection: Keep-Alive
-- RyanStillions - 2015-03-16


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:".exe|0d 0a|"; fast_pattern:only; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; content:!"vsee.exe|0d 0a|"; nocase; http_header; content:!"CTX_"; http_uri; classtype:trojan-activity; sid:2013224; rev:12;)

Added 2013-10-28 18:58:24 UTC

There seems to be a false positive with this event because of GFI and a license submission:

PCAP Header INFO:


POST /license/gfilanss.key HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: lanss.exe Host: update.gfi.com Content-Length: 2026 Connection: Keep-Alive Cache-Control: no-cache

license=absC-s4sas-sAs5sm......

-- JosephS - 2014-11-25

Thanks, we'll get that fixed up for tomorrow's release!

-- DarienH - 2014-11-25


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:".exe|0d 0a|"; fast_pattern:only; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; content:!"vsee.exe|0d 0a|"; nocase; http_header; content:!"CTX_"; http_header; classtype:trojan-activity; sid:2013224; rev:7;)

Added 2013-10-24 19:56:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:".exe|0d 0a|"; fast_pattern:only; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; content:!"vsee.exe|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2013224; rev:6;)

Added 2013-06-13 17:08:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:".exe|0d 0a|"; fast_pattern; http_header; within:50; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; content:!"vsee.exe|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2013224; rev:5;)

Added 2011-10-12 19:36:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:".exe|0d 0a|"; fast_pattern; http_header; within:50; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; content:!"vsee.exe|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2013224; rev:5;)

Added 2011-09-20 19:24:28 UTC

FP from GFI Lanuard network Security Scanner activity:

GET /lnsupdate/index.txt HTTP/1.1

User-Agent: lnssatt.exe

Host: software.gfi.com

Connection: Keep-Alive

POST /license/gfilanss.key HTTP/1.0

Content-Type: application/x-www-form-urlencoded

User-Agent: lanss.exe

Host: update.gfi.com

Content-Length: 1598

Connection: Keep-Alive

Pragma: no-cache

-- JohnSnider - 22 Sep 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:".exe|0d 0a|"; fast_pattern; http_header; within:50; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; classtype:trojan-activity; sid:2013224; rev:4;)

Added 2011-07-12 12:24:46 UTC

vsee video conferencing agent is triggering this: GET /get/txt/6/522502640/1/480//wH7+gYAAAAAYJZZBB4AdSFzTjgAAAAAAAAAAAAAQAEBp6edUOA87q459V7607llAsmj5i8P3Jd5TozDwaqNA5G2JRfnJREQzppz5ilB4P2AkTg1HggnWHmN86R3I+DCIX8IFtL8aKPydOdHL4srinTkXzv20mh6wTVPAwIYiaDIIPJaMOMxSWfS+ULxgOEyenPgNG9tiMXQc4rB1qzyg7Cw8LgozTDgGRo8oUf333gb+QNQkCuFfA1Bz9aHG5wQmjgxQM7PTyyJLVowQNRH46lHGwfnp3NEBhqSWfl6YpH03zkdPfbV+sYijrG6Xx0EzQHG3Dj4L54eKJhv9udVPWdWawBitS9H7U2fPZa/uwPcQyoDIncFxImXcHHocnRUwlz2yfVzV3ydxmmv849SSN6EamZGs0QUYdAuRSm7D9nPGK6axuBkoG8JtHxwA8xgRgi2P4rkgGpMzR8pyYUlOUABAH8EAA== HTTP/1.1

Accept: /

User-Agent: vsee.exe

Host: 208.83.212.13

Connection: Keep-Alive

Cache-Control: no-cache

Possibly add new content string :

content:!"vsee.exe|0d 0a|"; nocase; http_header;

-- JohnSnider - 16 Sep 2011

We can do that, thanks John! Will be in the next update.

-- MattJonkman - 17 Sep 2011

Also get an FP from GFI Lanuard network Security Scanner activity:

GET /lnsupdate/index.txt HTTP/1.1

User-Agent: lnssatt.exe

Host: software.gfi.com

Connection: Keep-Alive


POST /license/gfilanss.key HTTP/1.0

Content-Type: application/x-www-form-urlencoded

User-Agent: lanss.exe

Host: update.gfi.com

Content-Length: 1598

Connection: Keep-Alive

Pragma: no-cache

-- JohnSnider - 20 Sep 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:".exe|0d 0a|"; fast_pattern; http_header; within:50; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; classtype:trojan-activity; sid:2013224; rev:4;)

Added 2011-07-11 15:32:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:".exe|0d 0a|"; fast_pattern; http_header; within:50; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; classtype:trojan-activity; sid:2013224; rev:3;)

Added 2011-07-07 22:34:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:".exe|0d 0a|"; fast_pattern; http_header; within:50; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; classtype:trojan-activity; sid:2013224; rev:3;)

Added 2011-07-07 21:27:00 UTC


Topic revision: r12 - 2016-12-29 - TravisGreen
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats