[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: Re: [Bleeding-sigs] Downloader.VB.TX false positives
From: Matt Jonkman <jonkman () bleedingthreats ! net>
Date: 2007-05-08 20:18:55
Message-ID: 4640DB2F.3040706 () bleedingthreats ! net
[Download RAW message or body]
Ahh, thanks for the report. I wasn't aware that was a legit UA, or in
much use.
I agree, I'll disable the sig and schedule it for deletion.
Thanks again for the report!
matt
David J. Bianco wrote:
> Ok, I just updated this morning and I see that sid 2003646 is giving a lot
> of false positives. For reference, this is:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
> TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control)";
> flow:established,to_server; content:"User-Agent\: Microsoft URL Control -";
> nocase; classtype:trojan-activity; sid:2003646; rev:1;)
>
> The problem is that it's looking for "User-Agent: Microsoft URL Control -" in
> the request, which is apparently a perfectly legitimate UA, though an
> uncommon one. For example, see this page:
>
> http://forums.seochat.com/search-engine-spiders-27/microsoft-url-control-6-00-8169t-3968.html
>
> According to this posting, the UA is actually from a standard VB control,
> and anything written to use the control will have the same agent string.
> This explains what I see on my own network. So far none of the alerts have
> actually been virus activity.
>
> I recommend disabling this rule, since it isn't really specific to a
> virus or trojan.
>
> David
>
>
> David
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
http://www.bleedingthreats.net
--------------------------------------------
PGP: http://www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic