EmergingThreats> Main Web>2002400 (2017-12-21, JonBelanger) EditAttach

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow:established,to_server; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk"; http_host; content:!"vmware.com"; http_host; content:!"rc.itsupport247.net"; http_host; content:!"msn.com"; http_host; content:!"msn.es"; http_host; content:!"live.com"; http_host; content:!"gocyberlink.com"; http_host; content:!"ultraedit.com"; http_host; content:!"windowsupdate.com"; http_host; content:!"cyberlink.com"; http_host; content:!"lenovo.com"; http_host; content:!"itsupport247.net"; http_host; content:!"msn.co.uk"; http_host; content:!"support.weixin.qq.com"; http_host; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:36; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_08_31;)

Added 2020-08-31 18:09:15 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow:established,to_server; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk"; http_host; content:!"vmware.com"; http_host; content:!"rc.itsupport247.net"; http_host; content:!"msn.com"; http_host; content:!"msn.es"; http_host; content:!"live.com"; http_host; content:!"gocyberlink.com"; http_host; content:!"ultraedit.com"; http_host; content:!"windowsupdate.com"; http_host; content:!"cyberlink.com"; http_host; content:!"lenovo.com"; http_host; content:!"itsupport247.net"; http_host; content:!"msn.co.uk"; http_host; content:!"support.weixin.qq.com"; http_host; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:36; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2019_08_13;)

Added 2020-08-05 19:01:39 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow:established,to_server; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk"; http_host; content:!"vmware.com"; http_host; content:!"rc.itsupport247.net"; http_host; content:!"msn.com"; http_host; content:!"msn.es"; http_host; content:!"live.com"; http_host; content:!"gocyberlink.com"; http_host; content:!"ultraedit.com"; http_host; content:!"windowsupdate.com"; http_host; content:!"cyberlink.com"; http_host; content:!"lenovo.com"; http_host; content:!"itsupport247.net"; http_host; content:!"msn.co.uk"; http_host; content:!"support.weixin.qq.com"; http_host; threshold:type limit, track by_src, count 2, seconds 360; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:36; metadata:created_at 2010_07_30, updated_at 2019_08_13;)

Added 2019-10-09 19:08:39 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow:established,to_server; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk"; http_host; content:!"vmware.com"; http_host; content:!"rc.itsupport247.net"; http_host; content:!"msn.com"; http_host; content:!"msn.es"; http_host; content:!"live.com"; http_host; content:!"gocyberlink.com"; http_host; content:!"ultraedit.com"; http_host; content:!"windowsupdate.com"; http_host; content:!"cyberlink.com"; http_host; content:!"lenovo.com"; http_host; content:!"itsupport247.net"; http_host; content:!"msn.co.uk"; http_host; content:!"support.weixin.qq.com"; http_host; threshold:type limit, track by_src, count 2, seconds 360; metadata: former_category USER_AGENTS; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:36; metadata:created_at 2010_07_30, updated_at 2019_08_13;)

Added 2019-08-13 19:54:22 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow:established,to_server; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk"; http_host; content:!"vmware.com"; http_host; content:!"rc.itsupport247.net"; http_host; content:!"msn.com"; http_host; content:!"msn.es"; http_host; content:!"live.com"; http_host; content:!"gocyberlink.com"; http_host; content:!"ultraedit.com"; http_host; content:!"windowsupdate.com"; http_host; content:!"cyberlink.com"; http_host; content:!"lenovo.com"; http_host; content:!"itsupport247.net"; http_host; content:!"msn.co.uk"; http_host; threshold:type limit, track by_src, count 2, seconds 360; metadata: former_category USER_AGENTS; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:35; metadata:created_at 2010_07_30, updated_at 2017_11_29;)

Added 2018-09-13 19:37:54 UTC

Added 2018-09-13 17:52:46 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow:established,to_server; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk"; http_host; content:!"vmware.com"; http_host; content:!"rc.itsupport247.net"; http_host; content:!"msn.com"; http_host; content:!"msn.es"; http_host; content:!"live.com"; http_host; content:!"gocyberlink.com"; http_host; content:!"ultraedit.com"; http_host; content:!"windowsupdate.com"; http_host; content:!"cyberlink.com"; http_host; content:!"lenovo.com"; http_host; content:!"itsupport247.net"; http_host; content:!"msn.co.uk"; http_host; threshold:type limit, track by_src, count 2, seconds 360; metadata: former_category USER_AGENTS; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:35; metadata:created_at 2010_07_30, updated_at 2017_11_29;)

Added 2017-11-29 16:44:46 UTC

Seeing possible false positive on sony.net:

Host: sonicstage.update.sony.net Url: /podcasting/so/en/recommended_opml.xml ContentType?: text/html UserAgent?: Microsoft Internet Explorer

https://www.virustotal.com/#/url/9c4946a5fd5dd8f5b27a0c2354ed0162832f721ab7354e1cbfc0bd6261467c05/detection

-- JonBelanger - 2017-12-21

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; content:!"windowsupdate.com"; http_header; content:!"cyberlink.com"; http_header; content:!"lenovo.com"; http_header; content:!"itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.co.uk|0d 0a|"; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:34; metadata:created_at 2010_07_30, updated_at 2017_01_04;)

Added 2017-08-07 20:55:56 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; content:!"windowsupdate.com"; http_header; content:!"cyberlink.com"; http_header; content:!"lenovo.com"; http_header; content:!"itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.co.uk|0d 0a|"; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:34;)

Added 2017-03-20 19:16:54 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; content:!"windowsupdate.com"; http_header; content:!"cyberlink.com"; http_header; content:!"lenovo.com"; http_header; content:!"itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.co.uk|0d 0a|"; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:34;)

Added 2017-03-16 22:26:32 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; content:!"windowsupdate.com"; http_header; content:!"cyberlink.com"; http_header; content:!"lenovo.com"; http_header; content:!"itsupport247.net|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:33;)

Added 2017-01-04 17:01:20 UTC

We are getting FP to msn.co.uk. It should be also added to the list as mentioned before.

-- BenoitSevens - 2017-03-16

This will be fixed today, thanks!

-- DarienH - 2017-03-16

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; content:!"windowsupdate.com"; http_header; content:!"cyberlink.com"; http_header; content:!"lenovo.com"; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:32;)

Added 2015-12-04 17:45:19 UTC

This alert triggers often for various itsupport.net subdomains.

e.g. (1) dumps.itsupport247.net (2) xpwp.itsupport247.net (3) update.itsupport247.net (4) update1.itsupport247.net (5) wpmsupth.itsupport247.net

Suggest removing: content:!"rc.itsupport247.net|0d 0a|" and replacing with: content:!"itsupport247.net|0d 0a|"

I figure other folks may have the same issue and also could be other subdomains for itsupport247.net that I'm not seeing yet.

-- AmandaDeason - 2016-12-06

Hello. We also observing a huge number of FP for that rule. A lot of or clients are using software developed by Continuum Managed Services. Short information about company: Continuum is the IT management platform company that allows Managed IT Services Providers (MSPs) to maintain and back up on-premise and cloud-based servers, desktops, mobile devices and other endpoints for their small- and medium-sized business clients. We are a channel-exclusive provider of managed IT services, which means we succeed when our partners do. Our growth is YOUR growth.

They have several products (for support and management). This software often connects to different *.itsupport247.net remote resources.

Dear ET, please consider rule modification. Please look Amanda Deason suggestion above. content:!"itsupport247.net|0d 0a|";nocase; http_header;

-- MaksymParpaley - 2017-01-04

Thanks for the feedback, we'll get this fixed today!

-- DarienH - 2017-01-04

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:31;)

Added 2015-04-01 17:33:52 UTC

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:31;)

Added 2015-04-01 13:00:00 UTC

Excluded: "ultraedit.com"

-- JanHartmann - 2015-04-01

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:30;)

Added 2014-07-28 18:08:35 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; fast_pattern:11,25; http_header; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:29;)

Added 2012-01-18 17:58:28 UTC

Also needs msn.co.uk adding to defeats

-- MattNewham - 31 Dec 2012

Also needs content:!"liveupdate.gocyberlink.com|0d 0a|"; nocase; http_header; for PowerDVD? updates

-- ChriV - 2014-07-28

Thanks, an update for this will go out today!

-- DarienH - 2014-07-28

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"vmware.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:26;)

Added 2011-10-12 19:11:36 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"vmware.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; sid:2002400; rev:26;)

Added 2011-09-14 21:39:16 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"vmware.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:26;)

Added 2011-08-24 16:56:00 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)

Added 2011-05-02 14:42:51 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)

Added 2011-05-02 14:23:35 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)

Added 2011-05-02 14:04:13 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)

Added 2011-05-01 20:54:00 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)

Added 2011-04-29 17:39:43 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:24;)

Added 2011-02-04 17:21:49 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!"vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:21;)

Added 2010-03-01 14:15:48 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!"vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:21;)

Added 2010-03-01 14:15:48 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!"vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:20;)

Added 2009-12-22 14:30:46 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!"vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:20;)

Added 2009-12-22 14:30:46 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:19;)

Added 2009-10-19 09:15:43 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:19;)

Added 2009-10-19 09:15:43 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:17;)

Added 2009-09-29 15:45:36 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:17;)

Added 2009-09-29 15:45:36 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:16;)

Added 2009-02-09 21:30:23 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:16;)

Added 2009-02-09 21:30:23 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:16;)

Added 2009-02-09 21:29:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:16;)

Added 2009-02-09 21:29:24 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:15;)

Added 2008-12-02 16:30:22 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:15;)

Added 2008-12-02 16:30:22 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Microsoft Internet Explorer"; within:200; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:14;)

Added 2008-07-18 18:00:21 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Microsoft Internet Explorer"; within:200; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:14;)

Added 2008-07-18 18:00:21 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Microsoft Internet Explorer"; within:200; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:13;)

Added 2008-05-09 17:01:40 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Microsoft Internet Explorer"; within:200; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:13;)

Added 2008-05-09 17:01:40 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:12;)

Added 2008-01-28 17:24:20 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:12;)

Added 2008-01-28 17:24:20 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:10;)

Added 2007-11-05 00:46:05 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:10;)

Added 2007-11-05 00:46:05 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Suspicious User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:9;)

Edit | Attach | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r11 - 2017-12-21 - JonBelanger
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats