alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Majestic12 User-Agent Request Outbound"; flow:established,to_server; content:"MJ12bot/"; http_header; classtype:trojan-activity; sid:2013256; rev:3; metadata:created_at 2011_07_12, updated_at 2011_07_12;)

Added 2017-08-07 21:06:32 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Majestic12 User-Agent Request Outbound"; flow:established,to_server; content:"MJ12bot/"; http_header; classtype:trojan-activity; sid:2013256; rev:3;)

Added 2015-06-19 16:26:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Majestic12 User-Agent Request Outbound"; flow:established,to_server; content:"MJ12bot/"; http_header; classtype:trojan-activity; sid:2013256; rev:2;)

Added 2011-10-12 19:36:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Majestic12 User-Agent Request Outbound"; flow:established,to_server; content:"MJ12bot/"; http_header; classtype:trojan-activity; sid:2013256; rev:2;)

Added 2011-07-19 09:37:54 UTC

How does one tell if this is a host in the Majestic12 network or a trojan? I'm getting a ton of hits from this.

-- ChrisLibby - 29 Jul 2011

Hi Chris. This one is outbound only, so unless you have known mj12 nodes internal in your home_net, you shouldn't see these go outbound.

If you're looking at the iso level or up then it is certainly possible these are real mj12 nodes and not bots masquerading...

-- MattJonkman - 29 Jul 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Majestic12 User-Agent Request Outbound"; flow:established,to_server; content:"MJ12bot/"; http_header; classtype:trojan-activity; sid:2013256; rev:2;)

Added 2011-07-19 00:15:48 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Majestic12 UA Request Outbound"; flow:established,to_server; content:"MJ12bot/"; http_header; classtype:trojan-activity; sid:2013256; rev:1;)

Added 2011-07-12 14:29:59 UTC


Topic revision: r3 - 2011-07-29 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats