alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_host; content:!"deezer.com"; http_host; isdataat:!1,relative; content:!"googlezip.net"; http_host; content:!"metrics.tbliab.net"; http_host; isdataat:!1,relative; content:!"dajax.com"; http_host; isdataat:!1,relative; content:!"update.eset.com"; http_host; isdataat:!1,relative; content:!".sketchup.com"; http_host; isdataat:!1,relative; content:!".yieldmo.com"; http_host; isdataat:!1,relative; content:!"ping-start.com"; http_host; isdataat:!1,relative; content:!".bluekai.com"; http_host; content:!".stockstracker.com"; http_host; content:!".doubleclick.net"; http_host; content:!".pingstart.com"; http_host; content:!".colis-logistique.com"; http_host; content:!"android-lrcresource.wps.com"; http_host; content:!"track.package-buddy.com"; http_host; content:!"talkgadget.google.com"; http_host; isdataat:!1,relative; content:!".visualstudio.com"; http_host; isdataat:!1,relative; content:!".slack-edge.com"; http_host; isdataat:!1,relative; content:!".slack.com"; http_host; isdataat:!1,relative; content:!".lifesizecloud.com"; http_host; isdataat:!1,relative; content:!"connectivitycheck.gstatic.com"; http_host; isdataat:1,relative; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:unknown; sid:2007994; rev:22; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category INFO, signature_severity Major, tag User_Agent, updated_at 2020_11_17;)
Added 2020-11-17 18:19:11 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_host; content:!"deezer.com"; http_host; isdataat:!1,relative; content:!"googlezip.net"; http_host; content:!"metrics.tbliab.net"; http_host; isdataat:!1,relative; content:!"dajax.com"; http_host; isdataat:!1,relative; content:!"update.eset.com"; http_host; isdataat:!1,relative; content:!".sketchup.com"; http_host; isdataat:!1,relative; content:!".yieldmo.com"; http_host; isdataat:!1,relative; content:!"ping-start.com"; http_host; isdataat:!1,relative; content:!".bluekai.com"; http_host; content:!".stockstracker.com"; http_host; content:!".doubleclick.net"; http_host; content:!".pingstart.com"; http_host; content:!".colis-logistique.com"; http_host; content:!"android-lrcresource.wps.com"; http_host; content:!"track.package-buddy.com"; http_host; content:!"talkgadget.google.com"; http_host; isdataat:!1,relative; content:!".visualstudio.com"; http_host; isdataat:!1,relative; content:!".slack-edge.com"; http_host; isdataat:!1,relative; content:!".slack.com"; http_host; isdataat:!1,relative; content:!".lifesizecloud.com"; http_host; isdataat:!1,relative; content:!"connectivitycheck.gstatic.com"; http_host; isdataat:1,relative; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:unknown; sid:2007994; rev:22; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category INFO, signature_severity Major, tag User_Agent, updated_at 2020_05_05;)
Added 2020-08-05 19:05:12 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_host; content:!"deezer.com"; http_host; isdataat:!1,relative; content:!"googlezip.net"; http_host; content:!"metrics.tbliab.net"; http_host; isdataat:!1,relative; content:!"dajax.com"; http_host; isdataat:!1,relative; content:!"update.eset.com"; http_host; isdataat:!1,relative; content:!".sketchup.com"; http_host; isdataat:!1,relative; content:!".yieldmo.com"; http_host; isdataat:!1,relative; content:!"ping-start.com"; http_host; isdataat:!1,relative; content:!".bluekai.com"; http_host; content:!".stockstracker.com"; http_host; content:!".doubleclick.net"; http_host; content:!".pingstart.com"; http_host; content:!".colis-logistique.com"; http_host; content:!"android-lrcresource.wps.com"; http_host; content:!"track.package-buddy.com"; http_host; content:!"talkgadget.google.com"; http_host; isdataat:!1,relative; content:!".visualstudio.com"; http_host; isdataat:!1,relative; content:!".slack-edge.com"; http_host; isdataat:!1,relative; content:!".slack.com"; http_host; isdataat:!1,relative; content:!".lifesizecloud.com"; http_host; isdataat:!1,relative; content:!"connectivitycheck.gstatic.com"; http_host; isdataat:1,relative; metadata: former_category INFO; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:unknown; sid:2007994; rev:22; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2020_05_05;)
Added 2020-05-05 18:37:30 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_host; content:!"deezer.com"; http_host; isdataat:!1,relative; content:!"googlezip.net"; http_host; content:!"metrics.tbliab.net"; http_host; isdataat:!1,relative; content:!"dajax.com"; http_host; isdataat:!1,relative; content:!"update.eset.com"; http_host; isdataat:!1,relative; content:!".sketchup.com"; http_host; isdataat:!1,relative; content:!".yieldmo.com"; http_host; isdataat:!1,relative; content:!"ping-start.com"; http_host; isdataat:!1,relative; content:!".bluekai.com"; http_host; content:!".stockstracker.com"; http_host; content:!".doubleclick.net"; http_host; content:!".pingstart.com"; http_host; content:!".colis-logistique.com"; http_host; content:!"android-lrcresource.wps.com"; http_host; content:!"track.package-buddy.com"; http_host; content:!"talkgadget.google.com"; http_host; isdataat:!1,relative; content:!".visualstudio.com"; http_host; isdataat:!1,relative; content:!".slack-edge.com"; http_host; isdataat:!1,relative; content:!".slack.com"; http_host; isdataat:!1,relative; content:!".lifesizecloud.com"; http_host; isdataat:!1,relative; metadata: former_category INFO; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:unknown; sid:2007994; rev:21; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_28;)
Added 2019-10-09 19:08:40 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_host; content:!"deezer.com"; http_host; isdataat:!1,relative; content:!"googlezip.net"; http_host; content:!"metrics.tbliab.net"; http_host; isdataat:!1,relative; content:!"dajax.com"; http_host; isdataat:!1,relative; content:!"update.eset.com"; http_host; isdataat:!1,relative; content:!".sketchup.com"; http_host; isdataat:!1,relative; content:!".yieldmo.com"; http_host; isdataat:!1,relative; content:!"ping-start.com"; http_host; isdataat:!1,relative; content:!".bluekai.com"; http_host; content:!".stockstracker.com"; http_host; content:!".doubleclick.net"; http_host; content:!".pingstart.com"; http_host; content:!".colis-logistique.com"; http_host; content:!"android-lrcresource.wps.com"; http_host; content:!"track.package-buddy.com"; http_host; content:!"talkgadget.google.com"; http_host; isdataat:!1,relative; content:!".visualstudio.com"; http_host; isdataat:!1,relative; content:!".slack-edge.com"; http_host; isdataat:!1,relative; content:!".slack.com"; http_host; isdataat:!1,relative; content:!".lifesizecloud.com"; http_host; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:unknown; sid:2007994; rev:21; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_28;)
Added 2019-10-01 08:27:59 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_host; content:!"deezer.com"; http_host; isdataat:!1,relative; content:!"googlezip.net"; http_host; content:!"metrics.tbliab.net"; http_host; isdataat:!1,relative; content:!"dajax.com"; http_host; isdataat:!1,relative; content:!"update.eset.com"; http_host; isdataat:!1,relative; content:!".sketchup.com"; http_host; isdataat:!1,relative; content:!".yieldmo.com"; http_host; isdataat:!1,relative; content:!"ping-start.com"; http_host; isdataat:!1,relative; content:!".bluekai.com"; http_host; content:!".stockstracker.com"; http_host; content:!".doubleclick.net"; http_host; content:!".pingstart.com"; http_host; content:!".colis-logistique.com"; http_host; content:!"android-lrcresource.wps.com"; http_host; content:!"track.package-buddy.com"; http_host; content:!"talkgadget.google.com"; http_host; isdataat:!1,relative; content:!".visualstudio.com"; http_host; isdataat:!1,relative; content:!".slack-edge.com"; http_host; isdataat:!1,relative; content:!".slack.com"; http_host; isdataat:!1,relative; content:!".lifesizecloud.com"; http_host; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:unknown; sid:2007994; rev:21; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_28;)
Added 2019-10-01 04:22:22 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_host; content:!"deezer.com"; http_host; isdataat:!1,relative; content:!"googlezip.net"; http_host; content:!"metrics.tbliab.net"; http_host; isdataat:!1,relative; content:!"dajax.com"; http_host; isdataat:!1,relative; content:!"update.eset.com"; http_host; isdataat:!1,relative; content:!".sketchup.com"; http_host; isdataat:!1,relative; content:!".yieldmo.com"; http_host; isdataat:!1,relative; content:!"ping-start.com"; http_host; isdataat:!1,relative; content:!".bluekai.com"; http_host; content:!".stockstracker.com"; http_host; content:!".doubleclick.net"; http_host; content:!".pingstart.com"; http_host; content:!".colis-logistique.com"; http_host; content:!"android-lrcresource.wps.com"; http_host; content:!"track.package-buddy.com"; http_host; content:!"talkgadget.google.com"; http_host; isdataat:!1,relative; content:!".visualstudio.com"; http_host; isdataat:!1,relative; content:!".slack-edge.com"; http_host; isdataat:!1,relative; content:!".slack.com"; http_host; isdataat:!1,relative; content:!".lifesizecloud.com"; http_host; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:unknown; sid:2007994; rev:21; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2019_05_10;)
Added 2019-05-10 18:15:57 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_host; content:!"deezer.com"; http_host; isdataat:!1,relative; content:!"googlezip.net"; http_host; content:!"metrics.tbliab.net"; http_host; isdataat:!1,relative; content:!"dajax.com"; http_host; isdataat:!1,relative; content:!"update.eset.com"; http_host; isdataat:!1,relative; content:!".sketchup.com"; http_host; isdataat:!1,relative; content:!".yieldmo.com"; http_host; isdataat:!1,relative; content:!"ping-start.com"; http_host; isdataat:!1,relative; content:!".bluekai.com"; http_host; content:!".stockstracker.com"; http_host; content:!".doubleclick.net"; http_host; content:!".pingstart.com"; http_host; content:!".colis-logistique.com"; http_host; content:!"android-lrcresource.wps.com"; http_host; content:!"track.package-buddy.com"; http_host; content:!"talkgadget.google.com"; http_host; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:20; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2018_04_03;)
Added 2018-04-03 16:44:24 UTC
Looks to raise false positives for apis.appnxt.net and cdn.appnxt.net. Hosted at 52.32.0.0/11, 52.0.0.0/11 (Amazon EC2),
VirusTotal? says no problem, and apparently ET Pro raises no objections (as reported at
https://urlquery.net/report/a1314cdf-e54e-497a-928d-67910a6ff138).
--
TjSmith - 2018-08-09
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; content:!".bluekai.com"; http_header; content:!".stockstracker.com"; http_header; content:!".doubleclick.net"; http_header; content:!".pingstart.com"; http_header; content:!".colis-logistique.com"; http_header; content:!"android-lrcresource.wps.com"; http_header; content:!"track.package-buddy.com"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:19; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_03_01;)
Added 2017-11-08 16:30:22 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; content:!".bluekai.com"; http_header; content:!".stockstracker.com"; http_header; content:!".doubleclick.net"; http_header; content:!".pingstart.com"; http_header; content:!".colis-logistique.com"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:18; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_03_01;)
Added 2017-08-28 16:28:10 UTC
Hi, I believe I have come across another false positive with this rule, relating to the WPS Office app for Android:
GET /api/pre_download?dist=en00001&locale=en-US&platform=android&type=recommend_app&uid=6adeea637044d69dd7c1cd260898b8b2&v=0&wpsver=9.5.1&check=22b58a241ec6a0f66e076cbdf1acf82f HTTP/1.1
Host: android-lrcresource.wps.com
Connection: Keep-Alive
User-Agent:
--
HpBcds - 2017-09-13
It looks like a package tracker app on my Android (Package Buddy) is creating false positives:
GET ./v3/tracker.php?carrier=usps&tracknum=#######################
&hash=b91d9dfbc98c22936845ac4c9cdd5038&ver=com.psyrus.packagebuddy.285.HTTP/1.1.User-Agent:...
Host:.track.package-buddy.com..Connection:.Keep-Alive..Accept-Encoding:.gzip
--
DavidThames - 2017-11-08
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; content:!".bluekai.com"; http_header; content:!".stockstracker.com"; http_header; content:".doubleclick.net"; http_header; content:".pingstart.com"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:17; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_03_01;)
Added 2017-08-07 21:01:12 UTC
Helllo,
I get false positive with this rule. French Post gives to its customers a software called "Expinet / Expeditor". This software calls French Post server in order to send shipping data and gets some postal cod data and more.
It's always the same desitnation IP and port (213.41.95.188:80). Domain might seems to be www.colis-logistique.com.
I suggest to remove this destination to this rules.
Best regards,
Maxime
--
MaximeVa - 2017-08-25
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; content:!".bluekai.com"; http_header; content:!".stockstracker.com"; http_header; content:".doubleclick.net"; http_header; content:".pingstart.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:17;)
Added 2017-05-05 16:58:50 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; content:!".bluekai.com"; http_header; content:!".stockstracker.com"; http_header; content:".doubleclick.net"; http_header; content:".pingstart.com"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:17;)
Added 2017-05-03 17:35:06 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; content:!".bluekai.com"; http_header; content:!".stockstracker.com"; http_header; content:".doubleclick.net"; http_header; content:".pingstart.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:17;)
Added 2017-04-12 18:51:09 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; content:!".bluekai.com"; http_header; content:!".stockstracker.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:16;)
Added 2017-04-06 17:20:38 UTC
Two FP detected.
THE FIRST ONE IS - (addition to ping-start.com need to add content negation for pingstart.com without hyphen) <<<<
http://pingstart.com/ >>>>
GET /v1/apps? .......... HTTP/1.1
User-Agent:
Host: api.pingstart.com
Connection: Keep-Alive
Accept-Encoding: gzip
HTTP/1.1 302 Found
THE SECOND ONE IS - doubleclick.net <<<<
https://www.doubleclickbygoogle.com/ >>>>
GET /gampad/adx?iu=/16825456/playdots_twodots_supersonic_mobile/Android_.............. HTTP/1.1
User-Agent:
Host: pubads.g.doubleclick.net
Connection: Keep-Alive
Accept-Encoding: gzip
--
DenisI - 2017-04-12
Thanks, will get these fixed up today!
--
DarienH - 2017-04-12
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:15;)
Added 2017-03-28 17:13:11 UTC
FP for Oracle
BlueKai? Marketplace.
About Oracle
BlueKai? Marketplace
Data as a Service (
DaaS?) provides a robust toolset on the Oracle
BlueKai? Marketplace
platform, which enables you to create audiences across hundreds of data sources, so
you can unlock the value in that data and activate it on any channel, including display,
social, and mobile, to speak to customers.
GET /site/20635?limit=0&phint=id%3D38979F28-BA8C-4EA3-B68A-C62F7628DBAE&phint=idfa%3D38979F28-BA8C-4EA3-B68A-C62F7628DBAE&phint=AdID%3D HTTP/1.1
Host: tags.bluekai.com
Accept:
/
Accept-Language: en-us
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent:
HTTP/1.1 302 Found
Date: Tue, 28 Mar 2017 19:07:51 GMT
P3P?: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Set-Cookie: bkdc=wdc; expires=Sun, 24-Sep-2017 19:07:51 GMT; path=/; domain=.bluekai.com
Set-Cookie: bku=ZN999/K6tkQzGGrU; expires=Sun, 24-Sep-2017 19:07:51 GMT; path=/; domain=.bluekai.com
Location:
http://tags.bluekai.com/site/20635?dt=0&r=142033989&sig=1058448020&bkca=KJpn0zpBnnWNDYF/01ygLzN1DEPt1qSyBn561fnx5Uv6zBRNzUD6N7D0LleD5ERpzM1l1fJyzUJ6CS+wu0HBCtmvoy+xOyY7OhdV
Content-Length: 0
BK-Server: d86a
Content-Type: text/html
Cneonction: close
GET /site/20635?dt=0&r=142033989&sig=1058448020&bkca=KJpn0zpBnnWNDYF/01ygLzN1DEPt1qSyBn561fnx5Uv6zBRNzUD6N7D0LleD5ERpzM1l1fJyzUJ6CS+wu0HBCtmvoy+xOyY7OhdV HTTP/1.1
Host: tags.bluekai.com
Accept:
/
Accept-Language: en-us
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent:
HTTP/1.1 200 OK
Date: Tue, 28 Mar 2017 19:07:51 GMT
P3P?: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Content-Length: 62
BK-Server: fbe8
Content-Type: image/gif
Cneonction: close
GIF89a.............!..NETSCAPE2.0.....!.. ....,...........L..;
1) What is Oracle
BlueKai? Marketplace
https://docs.oracle.com/en/cloud/saas/data-cloud/dsmkt/using-oracle-data-cloud.pdf
2) Oracle acquire
BlueKai?
https://www.oracle.com/corporate/acquisitions/bluekai/index.html
3) What is
BlueKai?
https://www.youtube.com/watch?v=UBmgkZdWGLw
4) Oracle
DaaS?
https://www.youtube.com/watch?v=KiQEyEi_tNc
Please, modify rule for bluekai.com
Thank you.
--
MaksymParpaley - 2017-03-29
Dear ET I have couple more FP. Please give any feedback related previous request. Thank you!
--
MaksymParpaley - 2017-03-30
FP for Stocks Tracker application for IOs:
GET /logEvent?action=detailview HTTP/1.1
Host: www.stockstracker.com
User-Agent:
Connection: keep-alive
Accept-Encoding: gzip
HTTP/1.1 200 OK
--
DenisI - 2017-04-06
Thanks Denisl and Maksym, these will be added today!
--
DarienH - 2017-04-06
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:14;)
Added 2017-03-01 16:50:34 UTC
Hello. One more FP for now application sketchup in use. Please consider rule modification
More about app is here:
https://www.sketchup.com/products/sketchup-pro
PCAP:
GET /en/updates/su2016/supmac HTTP/1.1
Host: help.sketchup.com
Accept:
/
Cookie: _ga=.......
User-Agent:
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 723
Cache-Control: public, max-age=86400
Content-Encoding: gzip
Content-Language: en
Content-Type: text/plain;charset=UTF-8
Date: Thu, 02 Mar 2017 18:26:55 GMT
Etag: "1488473631-0"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 02 Mar 2017 16:53:51 GMT
Link: </en/node/6201>; rel="shortlink",</en/updates/su2016/supmac>; rel="canonical"
Server: nginx
Vary: Cookie,Accept-Encoding
Via: 1.1 varnish
X-AH-Environment: prod
X-Cache: HIT
X-Cache-Hits: 10
X-Drupal-Cache: HIT
X-Frame-Options: SAMEORIGIN
X-Generator: Drupal 7 (
http://drupal.org)
X-Request-ID: v-21438c62-ff74-11e6-95eb-22000bdde467
X-Varnish: 124145036 124048606
Content-Length: 79
Connection: keep-alive
...........DATA.........
Thank you, BR
--
MaksymParpaley - 2017-03-06
FP from yieldmo.com a mobile advertising firm.
PCAP:
Host: ads.yieldmo.com
Accept:
/
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Cookie: yieldmo_id=gd12bddab47d14c20cf0%7C1490185731709%7C1646916380831188839%7C1437728892220980040
User-Agent:
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Content-Length: 638
--
PhillipPeterson - 2017-03-25
FP for api.ping-start.com -
http://www.pingstart.com/. Application monetization
yieldmo.com and pingstart.com should be exclude from the rule Such network activity is not good and is not bad, just monetization tricks. ET please eliminate FP
--
MaksymParpaley - 2017-03-28
When user download application with advertisement google play warns about advertisement presence if using for free. That is why this is not malicious activity
--
MaksymParpaley - 2017-03-28
Fixing these today, thanks!
--
DarienH - 2017-03-28
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:13;)
Added 2017-02-21 19:53:14 UTC
Hello. FP for ESET Internet Security and NOD32 Antivirus. Please consider rule modification.
Rule tripped during update of ESET Internet Security and NOD32 Antivirus.
Information about product:
http://www.eset.co.uk/Beta/V10
We have no full PCAP, but some information below:
src_ip: 192.1682.xx.xx
dst_ip: 91.228.166.14
Host: update.eset.com
url:
http://update.eset.com/eset_upd/v10/dll/update.ver
HTTP Request:
HEAD /eset_upd/v10/dll/update.ver HTTP/1.1
Accept:
/
User-Agent:
Host: update.eset.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
X-NOD32-Mode: passive
Pragma: no-cache
Cache-Control: no-cache, no-store
Eset-Spread-Control: yes; domain=production
X-ESET-UpdateID:EAV-0189989284
If-Modified-Since: Wed, 01 Mar 2017 11:12:43 GMT
If-None-Match:"58b6acab-2203"
Thank you,
Best Regards
--
MaksymParpaley - 2017-03-01
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:12;)
Added 2017-01-12 17:36:21 UTC
Hello. FP for <Stocks Tracker> application. Please consider rule modification:
Information about application:
https://itunes.apple.com/us/app/stocks-tracker-real-time-stock/id517166254?mt=8
Pcap:
GET /usage?cmd=ads&deviceType=iPhone&token=XXXXXXXXXXXXXX&p=StockTracker&v=7.0.2&f=0&brk=(null)&por=0 HTTP/1.1
Host: www.dajax.com
User-Agent:
Connection: keep-alive
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Tue, 21 Feb 2017 14:48:32 GMT
2000
{"eTradeApiURL":"http://ws2.stocktrackeralert.com/etradeApi","maxAskReview":"2","SHOW_FB_ON_LIST":"true","RequireFullVersionForTrade":"NO","MAX_CHART_PERDAY":"5","TradeItUrl":"https://ems.tradingticket.com/universalTradingTicket","chartDataUrl":.....................................................
Thank you
BR
Maksym
--
MaksymParpaley - 2017-02-21
We're adding a negation for dajax[.]com, however not for tbliab[.]net (looks like some sort of tracking which often falls under the 'MALWARE' category, which in our case are PUP/PUA applications)
--
DarienH - 2017-02-21
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:11;)
Added 2016-03-23 18:08:02 UTC
Hello.
Can you please add an exception for metrics.tbliab.net.
Rule triggers during nor,al behavior of android game
CastleStorm?_-_Free_to_Siege. Please look at
https://apkscan.nviso.be/report/show/c13c753c8e4f075cbf527527a88318dc (we did sacan for that game). This game need this -
http://metrics.tbliab.net/apptrak?eses
PCAP:
GET /apptrak?eses=A2B053...........................data......................... HTTP/1.1
User-Agent:
Host: metrics.tbliab.net
Connection: Keep-Alive
Accept-Encoding: gzip
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/plain; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: PUT, GET, POST, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 05 Jan 2017 20:40:46 GMT
{ "Result": "Success", "SessionID": "A2B0....data....." }
Thanks!
--
MaksymParpaley - 2017-01-06
Dear ET
Any Ideas about
http://metrics.tbliab.net/apptrak?eses
Are you planning to add negation ?
Regards
--
MaksymParpaley - 2017-01-11
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:10;)
Added 2016-02-16 22:39:50 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:10;)
Added 2016-02-16 17:47:54 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:8;)
Added 2012-07-23 21:19:16 UTC
False positive, it's a mobile connection from the Android App Deezer
GET./mobile/1/1d2d4646768803d040c62ac7f445d0de0d1515914afcee08e07dbf04dcf1196deb366e22ed6691d4a560e6096b7586094399bf09f2339c0a4d2f7533c8f9a8267faf245b02f937ac87e012fdeb292ffe.HTTP/1.1
.User-Agent:.
.Range:.bytes=16252928-16777215
.Host:.e-cdn-proxy-d.deezer.com
.Accept-Encoding:.gzip
.Cookie:.sid=fr48cb80faefb5136c7f9803625a1cec9911fd12
.Via:.1.1.localhost.(squid/3.4.10)
.X-Forwarded-For:.172.16.128.68
.Cache-Control:.max-age=259200
.Connection:.keep-alive
--
BryceSIMON - 2016-02-16
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:7;)
Added 2011-12-15 18:09:34 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:7;)
Added 2011-10-12 19:24:14 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; sid:2007994; rev:7;)
Added 2011-09-14 22:37:43 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:7;)
Added 2011-02-04 17:27:05 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\:|20 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:4;)
Added 2010-07-28 16:15:58 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\:|20 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:4;)
Added 2010-07-28 16:15:58 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:4;)
Added 2009-10-19 09:15:44 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:4;)
Added 2009-10-19 09:15:44 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_USER_Agents; sid:2007994; rev:2;)
Added 2009-02-09 22:22:08 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |0d 0a|"; classtype:trojan-activity; sid:2007994; rev:1;)
Added 2008-03-13 16:59:10 UTC