[Snort-sigs] [Emerging-Sigs] Ask Installer

Matthew Jonkman jonkman at ...3525...
Mon Feb 21 12:38:02 EST 2011

I think you're right. We had concerns long ago with what they're reporting, but I haven't seen anything negative for a while.

Unless someone chimes in that it's a malicious browser bar I'll push it over to Policy and change the classtype.

Thanks James!


On Feb 21, 2011, at 12:14 PM, Lay, James wrote:

> Ok…point of order ladies and gents:
> 02/21-08:31:51.953725  [**] [1:2011225:2] ET USER_AGENTS Suspicious User Agent (AskInstallChecker) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} ->
> 02/21-08:31:51.953725  [**] [1:18379:2] BLACKLIST USER-AGENT known malicious user-agent string AskInstallChecker [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} ->
> Rules below:
> emerging-user_agents.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (AskInstallChecker)"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| AskInstallChecker|0d 0a|"; nocase; http_header; classtype:trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; reference:url,doc.emergingthreats.net/2011225; sid:2011225; rev:2;)
> blacklist.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent string AskInstallChecker"; flow:to_server,established; content:"User-Agent|3A| AskInstallChecker|0D 0A|"; nocase; http_header; metadata:impact_flag red, service http; reference:url,labs.snort.org/docs/18379.html; classtype:trojan-activity; sid:18379; rev:2;)
> I’m guessing all “suspicious user agents” are tagged as Network Trojan, but eh….AskIntall?  Really?  Shouldn’t this fall under Policy instead?
> James Lay
> IT Security Analyst
> WinCo Foods
> 208-672-2014 Office
> 208-559-1855 Cell
> 650 N. Armstrong Pl.
> Boise, ID, 83704
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110221/070f14f6/attachment.html>

More information about the Snort-sigs mailing list