[Snort-sigs] SID 29999

Alex McDonnell amcdonnell at ...435...
Thu Nov 6 08:33:48 EST 2014


This is an invalid user agent for IE 9. It is being used by the malware
referenced in the rules VirusTotal link. If you can identify a valid
program/service generating traffic with this user agent please forward
along a pcap so we can analyze it.

thanks
Alex McDonnell
TALOS (VRT)

On Thu, Nov 6, 2014 at 4:44 AM, Dan Rieille <snortuser2604 at ...2420...> wrote:

> Hi guys,
>
> Since a few days, I get a lot of alerts generated by the Snort SID 1:29999
> This rule is associated to the "A Network Trojan was Detected" category,
> and the nessage is
> "BLACKLIST USER-AGENT known Malicious user agent - MSIE 9.0 in version 10
> format"
>
> Googling, I didn't find any information about this SID. Any idea ?
>
> Thanks
>
> Dan
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141106/15334c00/attachment.html>


More information about the Snort-sigs mailing list