[Snort-sigs] Ask Installer

Lay, James james.lay at ...3513...
Mon Feb 21 12:14:15 EST 2011

Ok...point of order ladies and gents:


02/21-08:31:51.953725  [**] [1:2011225:2] ET USER_AGENTS Suspicious User
Agent (AskInstallChecker) [**] [Classification: A Network Trojan was
detected] [Priority: 1] {TCP} ->

02/21-08:31:51.953725  [**] [1:18379:2] BLACKLIST USER-AGENT known
malicious user-agent string AskInstallChecker [**] [Classification: A
Network Trojan was detected] [Priority: 1] {TCP} ->


Rules below:

emerging-user_agents.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent
(AskInstallChecker)"; flow:to_server,established; content:"GET";
http_method; content:"User-Agent|3a| AskInstallChecker|0d 0a|"; nocase;
http_header; classtype:trojan-activity;
S/USER_AGENTS_Suspicious; reference:url,doc.emergingthreats.net/2011225;
sid:2011225; rev:2;)


blacklist.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLACKLIST USER-AGENT known malicious user-agent string
AskInstallChecker"; flow:to_server,established; content:"User-Agent|3A|
AskInstallChecker|0D 0A|"; nocase; http_header; metadata:impact_flag
red, service http; reference:url,labs.snort.org/docs/18379.html;
classtype:trojan-activity; sid:18379; rev:2;)


I'm guessing all "suspicious user agents" are tagged as Network Trojan,
but eh....AskIntall?  Really?  Shouldn't this fall under Policy instead?


James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N. Armstrong Pl.

Boise, ID, 83704


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110221/5d06dfab/attachment.html>

More information about the Snort-sigs mailing list