Snort mailing list archives
More information on the rule - sid:31557
From: Irish Settingg <irishsetting () gmail com>
Date: Fri, 30 Jan 2015 03:19:06 +0530
Signature - BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre. The previous rule was - Rev 2: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Backdoor.Andromeda"; flow:to_server,established; content:"/2507US-1/"; http_uri; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url, www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/; classtype:trojan-activity; sid:31557; rev:2; ) The current rule is- Rev 3: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url, www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/; classtype:trojan-activity; sid:31557; rev:3; )
Please tell us the reason of change in Contents- Win.Trojan.Upatre as per multiple websites doesnot do anything wherein
it hides or strips the User-agent (Though I am sure it could have the option of doing it)
Connections observed in the network is from internal machine to -
http://search.msdn.microsoft.com/favicon.ico or http://download.virtualbox.org/virtualbox/4.3.20/Oracle_VM_VirtualBox_Extension_Pack-4.3.20.vbox-extpack
The only part which is suspicious is the user agent -
User-Agent: Mozilla/5.0 I have not seen any browser to strip down the user agent in such a way that only the Platform is visible.
Normal User agents are -
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Packet text - *Hypertext Transfer Protocol* GET /favicon.ico HTTP/1.1 Expert Info (Chat/Sequence): GET /favicon.ico HTTP/1.1\r\n Message: GET /favicon.ico HTTP/1.1\r\n Severity level: Chat Group: Sequence Request Method: GET Request URI: /favicon.ico Request Version: HTTP/1.1 *Connection:* Keep-Alive Accept-Encoding: gzip accept-language: en,* User-Agent: Mozilla/5.0 *Host:* search.msdn.microsoft.com *Full request URI:* http://search.msdn.microsoft.com/favicon.ico * Packet Text* GET /favicon.ico HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip accept-language: en,* User-Agent: Mozilla/5.0 Host: search.msdn.microsoft.com
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- More information on the rule - sid:31557 Irish Settingg (Jan 29)
- Re: More information on the rule - sid:31557 Joel Esler (jesler) (Jan 29)
- Re: More information on the rule - sid:31557 Irish Settingg (Jan 29)
- Re: More information on the rule - sid:31557 Joel Esler (jesler) (Jan 29)
- Re: More information on the rule - sid:31557 Irish Settingg (Jan 29)
- Re: More information on the rule - sid:31557 Joel Esler (jesler) (Jan 29)