snort-sigs February 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] [Emerging-Sigs] Ask Installer

Re: [Snort-sigs] [Emerging-Sigs] Ask Installer

From: Matthew Jonkman <jonkman_at_nospam>
Date: Mon Feb 21 2011 - 17:38:02 GMT
To: "Lay, James" <james.lay@wincofoods.com>

I think you're right. We had concerns long ago with what they're reporting, but I haven't seen anything negative for a while.

Unless someone chimes in that it's a malicious browser bar I'll push it over to Policy and change the classtype.

Thanks James!

Matt

On Feb 21, 2011, at 12:14 PM, Lay, James wrote:

> Ok…point of order ladies and gents:
>
> 02/21-08:31:51.953725 [**] [1:2011225:2] ET USER_AGENTS Suspicious User Agent (AskInstallChecker) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.21.10.101:2017 -> 74.113.233.61:80
> 02/21-08:31:51.953725 [**] [1:18379:2] BLACKLIST USER-AGENT known malicious user-agent string AskInstallChecker [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.21.10.101:2017 -> 74.113.233.61:80
>
> Rules below:
> emerging-user_agents.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (AskInstallChecker)"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| AskInstallChecker|0d 0a|"; nocase; http_header; classtype:trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; reference:url,doc.emergingthreats.net/2011225; sid:2011225; rev:2;)
>
> blacklist.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent string AskInstallChecker"; flow:to_server,established; content:"User-Agent|3A| AskInstallChecker|0D 0A|"; nocase; http_header; metadata:impact_flag red, service http; reference:url,labs.snort.org/docs/18379.html; classtype:trojan-activity; sid:18379; rev:2;)
>
> I’m guessing all “suspicious user agents” are tagged as Network Trojan, but eh….AskIntall? Really? Shouldn’t this fall under Policy instead?
>
> James Lay
> IT Security Analyst
> WinCo Foods
> 208-672-2014 Office
> 208-559-1855 Cell
> 650 N. Armstrong Pl.
> Boise, ID, 83704
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org