alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; content:!"windowsupdate.com"; http_header; content:!"cyberlink.com"; http_header; content:!"lenovo.com"; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:32;)
Added 2015-12-04 17:45:19 UTC
This alert triggers often for various itsupport.net subdomains.
e.g.
(1) dumps.itsupport247.net
(2) xpwp.itsupport247.net
(3) update.itsupport247.net
(4) update1.itsupport247.net
(5) wpmsupth.itsupport247.net
Suggest removing: content:!"rc.itsupport247.net|0d 0a|"
and replacing with: content:!"itsupport247.net|0d 0a|"
I figure other folks may have the same issue and also could be other subdomains for itsupport247.net that I'm not seeing yet.
--
AmandaDeason - 2016-12-06
Hello.
We also observing a huge number of FP for that rule.
A lot of or clients are using software developed by Continuum Managed Services. Short information about company: Continuum is the IT management platform company that allows Managed IT Services Providers (MSPs) to maintain and back up on-premise and cloud-based servers, desktops, mobile devices and other endpoints for their small- and medium-sized business clients. We are a channel-exclusive provider of managed IT services, which means we succeed when our partners do. Our growth is YOUR growth.
They have several products (for support and management). This software often connects to different *.itsupport247.net remote resources.
Dear ET, please consider rule modification. Please look Amanda Deason suggestion above. content:!"itsupport247.net|0d 0a|";nocase; http_header;
--
MaksymParpaley - 2017-01-04
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:31;)
Added 2015-04-01 17:33:52 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:31;)
Added 2015-04-01 13:00:00 UTC
Excluded: "ultraedit.com"
--
JanHartmann - 2015-04-01
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"Microsoft Internet Explorer"; depth:28; http_user_agent; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:30;)
Added 2014-07-28 18:08:35 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; fast_pattern:11,25; http_header; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:29;)
Added 2012-01-18 17:58:28 UTC
Also needs msn.co.uk adding to defeats
--
MattNewham - 31 Dec 2012
Also needs content:!"liveupdate.gocyberlink.com|0d 0a|"; nocase; http_header; for
PowerDVD? updates
--
ChriV - 2014-07-28
Thanks, an update for this will go out today!
--
DarienH - 2014-07-28
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"vmware.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:26;)
Added 2011-10-12 19:11:36 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"vmware.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; sid:2002400; rev:26;)
Added 2011-09-14 21:39:16 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"vmware.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:26;)
Added 2011-08-24 16:56:00 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)
Added 2011-05-02 14:42:51 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)
Added 2011-05-02 14:23:35 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)
Added 2011-05-02 14:04:13 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)
Added 2011-05-01 20:54:00 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; content:!".msn.es"; nocase; http_header;threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:25;)
Added 2011-04-29 17:39:43 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; content:!"bbc.co.uk"; nocase; http_header; content:!"microsoft.com"; nocase; http_header; content:!"vmware.com"; nocase; http_header; content:!"msn.com"; nocase; http_header; content:!"msnbc.com"; nocase; http_header; content:!".live.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:24;)
Added 2011-02-04 17:21:49 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!"vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:21;)
Added 2010-03-01 14:15:48 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!"vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:21;)
Added 2010-03-01 14:15:48 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!"vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:20;)
Added 2009-12-22 14:30:46 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!"vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:20;)
Added 2009-12-22 14:30:46 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:19;)
Added 2009-10-19 09:15:43 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:19;)
Added 2009-10-19 09:15:43 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:17;)
Added 2009-09-29 15:45:36 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:17;)
Added 2009-09-29 15:45:36 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:16;)
Added 2009-02-09 21:30:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:16;)
Added 2009-02-09 21:30:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:16;)
Added 2009-02-09 21:29:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2002400; rev:16;)
Added 2009-02-09 21:29:24 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:15;)
Added 2008-12-02 16:30:22 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:15;)
Added 2008-12-02 16:30:22 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Microsoft Internet Explorer"; within:200; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:14;)
Added 2008-07-18 18:00:21 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Microsoft Internet Explorer"; within:200; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!".vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:14;)
Added 2008-07-18 18:00:21 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Microsoft Internet Explorer"; within:200; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:13;)
Added 2008-05-09 17:01:40 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Microsoft Internet Explorer"; within:200; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:13;)
Added 2008-05-09 17:01:40 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:12;)
Added 2008-01-28 17:24:20 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:12;)
Added 2008-01-28 17:24:20 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:10;)
Added 2007-11-05 00:46:05 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:10;)
Added 2007-11-05 00:46:05 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Suspicious User Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:9;)