alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Weatherbug Related User-Agent (CFNetwork/)"; flow:to_server,established; content:"User-Agent\: CFNetwork/"; nocase; classtype:trojan-activity; sid:2003485; rev:1;)
Added 2007-03-16 10:30:25 UTC
Weatherbug seems to be using a new UA. Or someone else is pulling weatherbug data. Either way, something is installed on the source machine.
--
MattJonkman - 16 Mar 2007
Nope, pulling this sig. It's now out of the ruleset.
CFNetwork is an apple coding framework:
http://developer.apple.com/documentation/Networking/Conceptual/CFNetwork/
--
MattJonkman - 19 Mar 2007