alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; content:"User-Agent|3a| Agent"; http_header; pcre:"/^User-Agent\x3a Agent\d{5,6}\r?$/Hmi"; classtype:trojan-activity; sid:2013315; rev:10;)

Added 2012-05-23 22:04:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; content:"User-Agent|3a| Agent"; http_header; pcre:"/^User-Agent\x3a Agent\d{5,6}\r$/Hmi"; classtype:trojan-activity; sid:2013315; rev:9;)

Added 2012-05-22 18:40:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; content:"User-Agent|3a| Agent"; http_header; pcre:"/User-Agent\x3a Agent\d{5,6}$/Hi"; classtype:trojan-activity; sid:2013315; rev:6;)

Added 2011-11-16 19:57:12 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.ADload.CF/Gamup.nb User-Agent at Checkin"; flow:established,to_server; content:"User-Agent|3a| Agent"; http_header; pcre:"/User-Agent\x3a Agent\d\d\d+/Hi"; classtype:trojan-activity; sid:2013315; rev:4;)

Added 2011-10-12 19:36:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.ADload.CF/Gamup.nb User-Agent at Checkin"; flow:established,to_server; content:"User-Agent|3a| Agent"; http_header; pcre:"/User-Agent\x3a Agent\d\d\d+/Hi"; classtype:trojan-activity; sid:2013315; rev:4;)

Added 2011-07-27 00:56:51 UTC

this rule is subject to a range of FPs including live.msn.com,

-- RussellFulton - 03 Oct 2011


Topic revision: r2 - 2011-10-03 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats