Snort mailing list archives
Re: SID 29999
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Thu, 6 Nov 2014 08:33:48 -0500
This is an invalid user agent for IE 9. It is being used by the malware referenced in the rules VirusTotal link. If you can identify a valid program/service generating traffic with this user agent please forward along a pcap so we can analyze it. thanks Alex McDonnell TALOS (VRT) On Thu, Nov 6, 2014 at 4:44 AM, Dan Rieille <snortuser2604 () gmail com> wrote:
Hi guys, Since a few days, I get a lot of alerts generated by the Snort SID 1:29999 This rule is associated to the "A Network Trojan was Detected" category, and the nessage is "BLACKLIST USER-AGENT known Malicious user agent - MSIE 9.0 in version 10 format" Googling, I didn't find any information about this SID. Any idea ? Thanks Dan ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SID 29999 Dan Rieille (Nov 06)
- Re: SID 29999 Alex McDonnell (Nov 06)