alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Norton Update User-Agent (Install Stub)"; flow:to_server,established; content:"Install Stub"; http_user_agent; depth:12; content:"stats.norton.com|0d 0a|"; http_header; reference:url,threatexpert.com/reports.aspx?find=stats.norton.com; classtype:trojan-activity; sid:2013882; rev:5; metadata:created_at 2011_11_08, updated_at 2011_11_08;)

Added 2017-08-07 21:07:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Norton Update User-Agent (Install Stub)"; flow:to_server,established; content:"User-Agent|3a| Install Stub"; http_header; content:"stats.norton.com|0d 0a|"; http_header; reference:url,threatexpert.com/reports.aspx?find=stats.norton.com; classtype:trojan-activity; sid:2013882; rev:3;)

Added 2011-11-16 19:57:13 UTC

Documentation: This rule alerts about an unusual browser user-agent. It is possible that a trojan is masquerading as this agent to escape detection.

False Positives: A genuine request from a Norton product to an IP address that provides Norton products.

Analyst Response: Investigate the destination and source IP address to ensure the communication is legitimate. Ensure that the client host uses Norton products and that the queried host provides information or updates regarding Norton products.

-- MainNetavarkaSuraksa? - 2014-03-06


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Install Stub)"; flow:to_server,established; content:"User-Agent|3a| Install Stub"; http_header; reference:url,threatexpert.com/reports.aspx?find=stats.norton.com; classtype:trojan-activity; sid:2013882; rev:2;)

Added 2011-11-08 13:57:26 UTC


Topic revision: r3 - 2014-03-06 - PhilSchroeder
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats