alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 8 User-Agent"; flow: established,to_server; content:"Windows NT 8"; nocase; http_user_agent; fast_pattern:only; content:!"NOKIA"; nocase; http_user_agent; classtype:trojan-activity; sid:2015821; rev:4; metadata:created_at 2012_10_19, updated_at 2012_10_19;)

Added 2017-08-07 21:09:26 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 8 User-Agent"; flow: established,to_server; content:"Windows NT 8"; nocase; http_header; fast_pattern:only; content:!"NOKIA"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 8/Hmi"; classtype:trojan-activity; sid:2015821; rev:2;)

Added 2014-04-03 17:50:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 8 User-Agent"; flow: established,to_server; content:"Windows NT 8"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 8/Hmi"; classtype:trojan-activity; sid:2015821; rev:1;)

Added 2012-10-19 17:25:52 UTC

We have seen a number of FPs on this related to Nokia Phones. An example stings is below:

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Microsoft Windows NT 8.0.10517.0; Trident/6.0; ARM; Touch; IEMobile/10.0; NOKIA; RM-915_nam_usa_228 IOAM/1.0)

-- JohnIves - 2014-03-06

Thank you John, we will investigate this. This rule is structured under the assumption that there is no authentic Windows NT 8, but if Nokia has begun using these UAs on their Windows Mobile 8 (NT) phones then a negation may be required on this rule.

-- DarienH - 2014-03-30


Topic revision: r3 - 2014-03-30 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats