EmergingThreats> Main Web>2003591 (2007-04-18, MattJonkman) EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Rinbot.a User Agent - Downloading new Code (Mozilla/5.0)"; flow:established,to_server; content:"User-Agent\: Mozilla/5.0|0d 0a|"; content:!"Accept\: text/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/RinBot; sid:2003591; rev:2;)

Added 2007-04-18 10:34:05 UTC

Turns out some legitimate devices are using this UA string. Gecko 1 is mozilla/5, but it should have the rest of the ua string as well (platform, etc).

http://devedge-temp.mozilla.org/viewsource/2002/gecko-useragent-strings/

Altered above sig to look for an Accept: line.

If this doesn't control the falses we'll have to likely drop the sig altogether.

-- MattJonkman - 18 Apr 2007

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Rinbot.a User Agent - Downloading new Code (Mozilla/5.0)"; flow:established,to_server; content:"User-Agent\: Mozilla/5.0|0d 0a|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/RinBot; sid:2003591; rev:1;)

Added 2007-04-16 23:00:29 UTC

More here:

RinBot?

-- MattJonkman - 17 Apr 2007

Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2007-04-18 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats