[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] FP sid 2011800
From: jonkman () emergingthreatspro ! com (Matthew Jonkman)
Date: 2011-04-28 16:02:20
Message-ID: 2500A8D3-922B-4389-998F-D5C321ED12C6 () emergingthreatspro ! com
[Download RAW message or body]
Ya, may as well. I doubt the clue bat has made it's rounds there yet.
Matt
On Apr 26, 2011, at 6:27 PM, harry.tuttle wrote:
> Looks like the folks at RIM carried their abnormal UA string forward to the new \
> Playbook tablet. I'm getting falses on 2011800 with "User-Agent:Mozilla/5.0 \
> (PlayBook; U; RIM Tablet OS 1.0.0; en-US)...".
> Should we add a 2nd negation to the rule similar to the one already there for \
> BlackBerry?
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Potential \
> Avzhan DDOS Bot or abnormal User-Agent"; flow:established,to_server; \
> content:"User-Agent|3A|Mozilla"; http_header; content:!"BlackBerry|3b|"; \
> http_header; content:!"PlayBook|3b|"; http_header; classtype:trojan-activity; \
> reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; \
> reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan; \
> sid:2011800; rev:5;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro \
> http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets \
> for Snort 2.4.0 through Current!
----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic