[Snort-sigs] Fp ON 2001702

Michael Scheidell scheidell at ...249...
Thu Jul 14 07:07:57 EDT 2005


Seems if you have sun java engine on your windows XP engine and attempt
to update it, you trigger the 2001702 signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity"; flow:
established,to_server; content:"User-Agent\: "; nocase;
content:"Bundle"; nocase; classtype: policy-violation; sid: 2001702;
rev:6;) 

Should we not use some type of offset or use pcre to make sure 'Bundle'
comes after User-Agent?
Maybe this should be looked at for all of the 'user-agent' strings?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity"; flow:
established,to_server; pcre:"/User-Agent\:.*Bundle/i"; classtype:
policy-violation; sid: 2001702; rev:7;) 

000 : 47 45 54 20 2F 77 65 62 61 70 70 73 2F 64 6F 77   GET /webapps/dow
010 : 6E 6C 6F 61 64 2F 41 75 74 6F 44 4C 3F 42 75 6E   nload/AutoDL?Bun
020 : 64 6C 65 49 64 3D 39 39 39 33 20 48 54 54 50 2F   dleId=9993 HTTP/
030 : 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A   1.1..Accept: */*
040 : 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E   ..Accept-Encodin
050 : 67 3A 20 69 64 65 6E 74 69 74 79 0D 0A 52 61 6E   g: identity..Ran
060 : 67 65 3A 20 62 79 74 65 73 3D 30 2D 34 38 37 31   ge: bytes=0-4871
070 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69   ..User-Agent: Mi
080 : 63 72 6F 73 6F 66 74 20 42 49 54 53 2F 36 2E 36   crosoft BITS/6.6
090 : 0D 0A 48 6F 73 74 3A 20 6A 64 6C 2E 73 75 6E 2E   ..Host: jdl.sun.
0a0 : 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A   com..Connection:
0b0 : 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A       Keep-Alive....





More information about the Snort-sigs mailing list