alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE User Agent Containing http\:// - Suspicious - Likely Spyware/Trojan"; flow:to_server,established; content:"User-Agent\:"; nocase; content:!"rss"; nocase; pcre:"/User-Agent\:[^\n]+http\:\/\//i"; classtype:trojan-activity; sid:2003394; rev:2;)
Added 2007-07-09 04:46:10 UTC
Some false postives:
- Someone who uses the Web Browser www.balsa.com.
- Googlebot: User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
--
CarlaFreitas - 27 Feb 2008
Additional false positive:
1.) Someone who goes to hotmail.com
--
MichelleDeMansana - 10 Apr 2008
Wordpress can also trigger this rule. You should see "User-Agent:
WordPress?/x.x.x" if you look at the traffic
--
PaulJohnson - 12 Aug 2008
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE User Agent Containing http\:// - Possible Spyware"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+http\:\/\//i"; classtype:trojan-activity; sid:2003394; rev:1;)
Main Web
Main Web
Create New Topic
Index
Search
Changes
Preferences
