alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Rinbot.a User Agent - Downloading new Code (Mozilla/5.0)"; flow:established,to_server; content:"User-Agent\: Mozilla/5.0|0d 0a|"; content:!"Accept\: text/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/RinBot; sid:2003591; rev:2;)
Added 2007-04-18 10:34:05 UTC
Turns out some legitimate devices are using this UA string. Gecko 1 is mozilla/5, but it should have the rest of the ua string as well (platform, etc).
http://devedge-temp.mozilla.org/viewsource/2002/gecko-useragent-strings/
Altered above sig to look for an Accept: line.
If this doesn't control the falses we'll have to likely drop the sig altogether.
--
MattJonkman - 18 Apr 2007
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Rinbot.a User Agent - Downloading new Code (Mozilla/5.0)"; flow:established,to_server; content:"User-Agent\: Mozilla/5.0|0d 0a|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/RinBot; sid:2003591; rev:1;)
Added 2007-04-16 23:00:29 UTC
More here:
RinBot?
--
MattJonkman - 17 Apr 2007