Mumblehard sig

[James Lay <jlay () slave-tothe-box net>]

....mumblehard..really?  ANYWAY:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Possible 
Mumblehard UA"; flow:to_server,established; content:"User-Agent|3a| 
Mozilla|2f|5.0 |28|Windows NT 6.1|3b| rv|3a|7.0.1|29| Gecko|2f|"; 
fast_pattern:only; content:"Firefox|2f|7.0.1"; 
reference:url,www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers' 
classtype:bad-unknown; sid:10000159; rev:1;)

if your org is REALLY running Firefox 7.0.1 (released in September 
2011), then chances are this WILL false.  Standard disclaimer of "fix it 
if it needs it" applies.  Sanity checked only.

James

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!