alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid: 2002153; rev:9;)
Added 2009-02-09 21:30:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid: 2002153; rev:9;)
Added 2009-02-09 21:30:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid: 2002153; rev:9;)
Added 2009-02-09 21:29:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid: 2002153; rev:9;)
Added 2009-02-09 21:29:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; sid: 2002153; rev:8;)
Added 2008-05-09 17:01:40 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:50; nocase; classtype: trojan-activity; sid: 2002153; rev:8;)
Added 2008-05-09 17:01:40 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:30; nocase; classtype: trojan-activity; sid: 2002153; rev:7;)
Added 2008-02-01 14:32:22 UTC
False positives on legit software updates to:
http://home.exetel.com.au/oliverburn/ AKA
http://www.puppycrawl.com/
with:
User-Agent: Java/1.6.0_03
Host: home.exetel.com.au
and Quest Software's SQL DB Products:
http://www.quest.com/
with:
User-Agent: QINS.EXE
Host: www.quest.com
and:
User-Agent: QINS.EXE
Host: check-for-update.inside.quest.com
Added exclusions:
suppress gen_id 1, sig_id 2002153, track by_dst, ip 220.233.0.13
suppress gen_id 1, sig_id 2002153, track by_dst, ip 12.106.87.32
suppress gen_id 1, sig_id 2002153, track by_dst, ip 12.106.87.43
--
MikeSchroll - 29 Feb 2008
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:30; nocase; classtype: trojan-activity; sid: 2002153; rev:7;)
Added 2008-02-01 14:32:22 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:30; nocase; classtype: trojan-activity; sid: 2002153; rev:6;)
Added 2008-01-28 17:24:19 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:30; nocase; classtype: trojan-activity; sid: 2002153; rev:6;)
Added 2008-01-28 17:24:19 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE EXE as User Agent - Potential Spyware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:20; nocase; classtype: trojan-activity; sid: 2002153; rev:5;)