[Snort-sigs] Ask Installer

Lay, James james.lay at ...3513...
Mon Feb 21 12:14:15 EST 2011


Ok...point of order ladies and gents:

 

02/21-08:31:51.953725  [**] [1:2011225:2] ET USER_AGENTS Suspicious User
Agent (AskInstallChecker) [**] [Classification: A Network Trojan was
detected] [Priority: 1] {TCP} 10.21.10.101:2017 -> 74.113.233.61:80

02/21-08:31:51.953725  [**] [1:18379:2] BLACKLIST USER-AGENT known
malicious user-agent string AskInstallChecker [**] [Classification: A
Network Trojan was detected] [Priority: 1] {TCP} 10.21.10.101:2017 ->
74.113.233.61:80

 

Rules below:

emerging-user_agents.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent
(AskInstallChecker)"; flow:to_server,established; content:"GET";
http_method; content:"User-Agent|3a| AskInstallChecker|0d 0a|"; nocase;
http_header; classtype:trojan-activity;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENT
S/USER_AGENTS_Suspicious; reference:url,doc.emergingthreats.net/2011225;
sid:2011225; rev:2;)

 

blacklist.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLACKLIST USER-AGENT known malicious user-agent string
AskInstallChecker"; flow:to_server,established; content:"User-Agent|3A|
AskInstallChecker|0D 0A|"; nocase; http_header; metadata:impact_flag
red, service http; reference:url,labs.snort.org/docs/18379.html;
classtype:trojan-activity; sid:18379; rev:2;)

 

I'm guessing all "suspicious user agents" are tagged as Network Trojan,
but eh....AskIntall?  Really?  Shouldn't this fall under Policy instead?

 

James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N. Armstrong Pl.

Boise, ID, 83704

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110221/5d06dfab/attachment.html>


More information about the Snort-sigs mailing list