snort-sigs February 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: [Snort-sigs] Ask Installer

[Snort-sigs] Ask Installer

From: Lay, James <james.lay_at_nospam>
Date: Mon Feb 21 2011 - 17:14:15 GMT
To: <>, <>

Ok...point of order ladies and gents:


02/21-08:31:51.953725 [**] [1:2011225:2] ET USER_AGENTS Suspicious User
Agent (AskInstallChecker) [**] [Classification: A Network Trojan was
detected] [Priority: 1] {TCP} ->

02/21-08:31:51.953725 [**] [1:18379:2] BLACKLIST USER-AGENT known
malicious user-agent string AskInstallChecker [**] [Classification: A
Network Trojan was detected] [Priority: 1] {TCP} ->


Rules below:

emerging-user_agents.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent
(AskInstallChecker)"; flow:to_server,established; content:"GET";
http_method; content:"User-Agent|3a| AskInstallChecker|0d 0a|"; nocase;
http_header; classtype:trojan-activity;
S/USER_AGENTS_Suspicious; reference:url,;
sid:2011225; rev:2;)


blacklist.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLACKLIST USER-AGENT known malicious user-agent string
AskInstallChecker"; flow:to_server,established; content:"User-Agent|3A|
AskInstallChecker|0D 0A|"; nocase; http_header; metadata:impact_flag
red, service http; reference:url,;
classtype:trojan-activity; sid:18379; rev:2;)


I'm guessing all "suspicious user agents" are tagged as Network Trojan,
but eh....AskIntall? Really? Shouldn't this fall under Policy instead?


James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N. Armstrong Pl.

Boise, ID, 83704


The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.

Snort-sigs mailing list