# # $Id: emerging-user_agents.rules $ # Emerging Threats user-agent rules. # # These rules target malware and trojans that modify the user agent of the client browser, or make their # own http requests with a unique UA. These are almost all for trojan infections. Recommend running this # ruleset for user networks. Relatively low load and a high rate of return. # # SID's are 2000000+ to avoid conflicts # # More information available at www.emergingthreats.net # # Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2010, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #Matt Jonkman, From spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS 2search.org User Agent (2search)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"2Search"; within:150; pcre:"/User-Agent\:[^\n]+2Search/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003335; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_2search; sid:2003335; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS 404Search Spyware User Agent"; flow:established,to_server; content:"User-Agent\: 404search"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001852; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_404Search; sid: 2001852; rev:23;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Adload.Generic Spyware User-Agent (91castInstallKernel)"; flow:to_server,established; content:"User-Agent\: 91cast"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003640; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_91cast; sid:2003640; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Pigeon.AYX/AVKill Related User-Agent (CTTBasic)"; flow: established,to_server; content:"|0d 0a|User-Agent\: CTT"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2009236; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_AVKill; sid:2009236; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Adwave.com Related Spyware User-Agent (STBHOGet)"; flow:to_server,established; content:"User-Agent\: STBHOGet|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Adwave; sid:2003500; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Alawar Toolbar Spyware User-Agent (Alawar Toolbar)"; flow:to_server,established; content:"User-Agent\: Alawar Toolbar"; nocase; reference:url,www.bleepingcomputer.com/uninstall/68/Alawar-Toolbar.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003506; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Alawar; sid:2003506; rev:5;) #New from Chris Taylor and the User agents project alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Alexa Search Toolbar User-Agent (Alexa Toolbar)"; flow: to_server,established; content:"|0d 0a|User-Agent\: Alexa Toolbar|0d 0a|"; reference:url,www.spywareguide.com/product_show.php?id=418; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002166; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Alexa; sid:2002166; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Alexa Search Toolbar User-Agent 2 (Alexa Toolbar)"; flow: to_server,established; content:"|0d 0a|User-Agent\: "; content:"Alexa Toolbar"; distance:0; within:200; pcre:"/User-Agent\:[^\n]+Alexa/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008085; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Alexa; sid:2008085; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Altnet PeerPoints Manager Traffic"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"Peer Points"; within:150; pcre:"/User-Agent\:[^\n]+Peer Points/i"; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001640; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Altnet; sid: 2001640; rev:19;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS AntiVermins.com Fake Antispyware Package User Agent"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"AntiVerminser"; within:150; pcre:"/User-Agent\:[^\n]+AntiVerminser/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003336; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Antivermin; sid:2003336; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Antivermins.com Spyware/Adware User-Agent (AntiVermeans)"; flow:to_server,established; content:"User-Agent\: AntiVermeans"; nocase; reference:url,www.bleepingcomputer.com/forums/topic69886.htm; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Antivermin; sid:2003531; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Toplist.cz Related Spyware User-Agent (BWL Toplist)"; flow:to_server,established; content:"User-Agent\: BWL Toplist"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003505; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_BWL; sid:2003505; rev:5;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Outbound"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"|5C|"; within:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/i"; classtype:bad-unknown; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010721; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Backslash; sid:2010721; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"|5C|"; within:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/i"; classtype:bad-unknown; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Backslash; sid:2010722; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Baidu.com Agent User-Agent (Desktop Web System)"; flow:to_server,established; content:"User-Agent\: Desktop Web System"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003604; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Baidu; sid:2003604; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Baidu.com Related Agent User-Agent (iexp)"; flow:to_server,established; content:"User-Agent\: iexp"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003608; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Baidu; sid:2003608; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS TROJAN BankSnif/Nethelper User Agent"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"nethelper"; within:150; pcre:"/User-Agent\:[^\n]+nethelper/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002877; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Banksnif; sid:2002877; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Better Internet Spyware User Agent Activity (thnall)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"THNALL"; within:150; pcre:"/User-Agent\:[^\n]+THNALL[^\n]+\.EXE/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002002; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_BetterInterenet; sid: 2002002; rev:27;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Better Internet Spyware User Agent Activity (poller)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Poller"; within:150; pcre:"/User-Agent\:[^\n]+Poller/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002005; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_BetterInterenet; sid: 2002005; rev:25;) #by jamie blasco at alienvault alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32.OnLineGames User Agent Detected (BigFoot)"; flow:to_server,established; content:"|0d 0a|User-Agent\: BigFoot"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010678; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_BigFoot; sid:2010678; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Browseraid.com Agent"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"Browser Adv"; within:100; pcre:"/User-Agent\:[^\n]+Browser Adv/i"; reference:url,www.browseraid.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Browseraid; sid: 2001295; rev:19;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS CoolWebSearch Spyware User-Agent (iefeatsl)"; flow:to_server,established; content:"User-Agent\: iefeatsl"; nocase; classtype:trojan-activity; reference:url,www.applicationsignatures.com/backend/index.php; reference:url,doc.emergingthreats.net/2003570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_CWS; sid:2003570; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS CoolWebSearch Spyware (Feat)"; flow: to_server,established; content:"User-Agent\: Feat"; nocase; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002160; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_CWS; sid:2002160; rev:13;) #from the spyware lp # by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Casalemedia.com Related User Agent (0\:0\:...)"; flow: established,to_server; content:"User-Agent\: 0\:0\:"; pcre:"/\x0d\x0aUser-Agent\: 0\:0\:[^\n]{120}/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007647; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casalemedia; sid:2007647; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Casino Related Spyware User-Agent Detected (Viper 4.0)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/5.0 (compatible, Viper 4.0)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008586; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casino; sid:2008586; rev:4;) #by jaime blasco of alienvault alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS chnsystem.com Spyware User-Agent (Update1.0)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Update1.0"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010680; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Chnsystem; sid:2010680; rev:2;) #by pedro marinho alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ClickAdsByIE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: ClickAdsByIE"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010220; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ClickAdsbyIE; sid:2010220; rev:2;) #Matt Jonkman form SpywareLP Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS clickspring.com Spyware Install User-Agent (CS Fingerprint Module)"; flow:to_server,established; content:"User-Agent\: CS Fingerprint Module"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003425; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Clickspring; sid:2003425; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Surfaccuracy.com Spyware Install User-Agent (SF Installer)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"SF Installer"; within:150; pcre:"/User-Agent\:[^\n]+SF Installer/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003428; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Clickspring; sid:2003428; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS xxxtoolbar.com Spyware Install User-Agent"; flow:to_server,established; content:"User-Agent\: |8b 86 85 86 8e 85 86 8c 0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003429; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Clickspring; sid:2003429; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS CommonName.com Spyware/Adware User-Agent (CommonName Agent)"; flow:to_server,established; content:"User-Agent\: CommonName"; nocase; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003532; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Commonname; sid:2003532; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Context Plus Spyware Activity (1)"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"Apropos"; within:150; pcre:"/User-Agent\:[^\n]+Apropos/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001703; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ContextPlus; sid: 2001703; rev:29;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Context Plus Spyware Activity (2)"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"Envolo"; within:150; pcre:"/User-Agent\:[^\n]+Envolo/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001706; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ContextPlus; sid: 2001706; rev:30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Context Plus User Agent (PTS)"; flow: to_server,established; content:"|0d 0a|User-Agent\: PTS"; reference:url,www.contextplus.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002403; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ContextPlus; sid:2002403; rev:9;) #from spyware lp alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Cpushpop.com Spyware User Agent (CPUSH_UPDATER)"; flow:established,to_server; content:"User-Agent\: CPUSH_"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006553; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Cpush; sid:2006553; rev:5;) #jeremy at sudosecure alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Deepdo Toolbar User-Agent (FavUpdate)"; flow:established,to_server; content:"|0d 0a|User-Agent\: FavUpdate"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008457; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Deepdo; sid:2008457; rev:6;) #Sandnet analysis alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Deepdo.com Toolbar/Spyware User Agent (DeepdoUpdate)"; flow:established,to_server; content:"User-Agent\: DeepdoUpdate/"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2006386; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Deepdo; sid: 2006386; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS sgrunt Dialer User Agent (sgrunt)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"sgrunt"; within:150; pcre:"/User-Agent\:[^\n]+sgrunt/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003385; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Dialer; sid:2003385; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS dialno Dialer User Agent (dialno)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"dialno"; within:150; pcre:"/User-Agent\:[^\n]+dialno/i"; threshold: type limit, count 5, seconds 60, track by_src; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003387; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Dialer; sid:2003387; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Dropspam.com Spyware Install User-Agent (DSInstall)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"DSInstall"; within:150; pcre:"/User-Agent\:[^\n]+DSInstall/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003439; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Dropspam; sid:2003439; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS EELoader User-Agent - Unknown (multiple) Malware Packages"; flow:to_server,established; content:"User-Agent\: EELoader"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003613; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_EELoader; sid:2003613; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZULA Spyware User Agent"; flow: established,to_server; content:"User-Agent\: ezula"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001854; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_EZULA; sid: 2001854; rev:20;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Ezula Related Calling Home"; flow: to_server,established; content:"User-Agent\: mez|0d 0a|"; nocase; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2000586; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_EZULA; sid: 2000586; rev:28;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Easy Search Bar Spyware User Agent"; flow: established,to_server; content:"User-Agent\: ESB"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001853; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_EasySearch; sid: 2001853; rev:21;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP))"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: ERRN200"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009861; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ErrorNuker; sid:2009861; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Errorsafe.com Fake antispyware User Agent (ErrorSafe Updater)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"ErrorSafe Updater"; within:150; pcre:"/User-Agent\:[^\n]+ErrorSafe Updater/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Errorsafe; sid:2003346; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER)"; flow:to_server,established; content:"User-Agent\: EVNUKER"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_EvidenceNuker; sid:2003569; rev:6;) #by Jaime Blasco alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (FaceCooker)"; flow:to_server,established; content:"|0d 0a|User-Agent\: FaceCooker"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010717; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FaceCooker; sid:2010717; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Internet-antivirus.com Related Fake AV User-Agent Detected (Update Internet Antivirus)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Update Internet Antivirus"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008647; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2008647; rev:5;) #by Pedro Marinho alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS WinFixer Trojan Related User-Agent Detected (ElectroSun NetInstaller)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ElectroSun "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008608; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2008608; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS malwarewipeupdate.com Spyware User-Agent (MalwareWipe)"; flow:to_server,established; content:"User-Agent\: MalwareWipe|0d 0a|"; nocase; classtype:trojan-activity; reference:url,www.malwarewipeupdate.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MalwareWipe&threatid=43086; reference:url,doc.emergingthreats.net/2003489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2003489; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Virusblast.com Fake AV/Anti-Spyware User-Agent (ad-protect)"; flow:to_server,established; content:"User-Agent\: ad-protect"; nocase; reference:url,spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.virusblast.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003476; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2003476; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Terminexor.com Spyware User-Agent (DInstaller2)"; flow:to_server,established; content:"User-Agent\: DInstaller"; nocase; reference:url,www.terminexor.com; reference:url,netrn.net/spywareblog/archives/2004/12/23/more-rip-off-ware-terminexor; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003477; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2003477; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Errornuker.com Fake Anti-Spyware User-Agent (ERRORNUKER)"; flow:to_server,established; content:"User-Agent\: ERRORNUKER"; nocase; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.errornuker.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003478; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2003478; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Drivecleaner.com Spyware User-Agent (DriveCleaner Updater)"; flow:to_server,established; content:"User-Agent\: DriveCleaner Updater"; nocase; classtype:trojan-activity; reference:url,www.drivecleaner.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=DriveCleaner&threatid=44533; reference:url,doc.emergingthreats.net/2003486; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2003486; rev:5;) #data by dxp and jpepper alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"Antivir"; pcre:"/User-Agent\:[^\n]+\;\sAntivir/"; reference:url,www.wiki-security.com/wiki/Parasite/Antivirus2008; threshold:type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008549; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2008549; rev:7;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Cleancop.co.kr Fake AV User-Agent (CleancopUpdate)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Cleancop"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008484; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2008484; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Searchtool.co.kr Fake Product User-Agent (searchtoolup)"; flow:established,to_server; content:"|0d 0a|User-Agent\: searchtool"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008485; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2008485; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS AntiSpywareMaster.com Fake AV User-Agent"; flow:to_server,established; content:"|0d 0a|User-Agent\: AsmUpdater"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008294; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2008294; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Dokterfix.com Fake AV User Agent (Magic NetInstaller)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Magic NetInstaller|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007977; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2007977; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Easydownloadsoft.com Fake Anti-Virus User Agent (IM Downloader)"; flow:established,to_server; content:"|0d 0a|User-Agent\: IM Downloader|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008000; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2008000; rev:4;) #check.mycomclean.com, by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Mycomclean.com Spyware User Agent (HTTP_GET_COMM)"; flow:to_server,established; content:"|0d 0a|User-Agent\: HTTP_GET_COMM|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007881; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2007881; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Mycomclean.com Spyware User Agent (SHINI)"; flow:to_server,established; content:"|0d 0a|User-Agent\: SHINI|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007882; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2007882; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Virusheat.com Fake Anti-Spyware User Agent (VirusHeat 4.3)"; flow:to_server,established; content:"|0d 0a|User-Agent\: VirusHeat"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007883; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2007883; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Antivirgear.com Fake Anti-Spyware User Agent (AntiVirGear)"; flow:established,to_server; content:"User-Agent\: AntiVirGear"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007697; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid: 2007697; rev:5;) #by matt jonkman, from sandnet analysis re 200c2baf2b23e8db5f7145941548c69d alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Alfaantivirus.com Fake Anti-Virus User Agent (IM Download)"; flow:established,to_server; content:"|0d 0a|User-Agent\: IM Download|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007759; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid: 2007759; rev:4;) #drpcclean.com by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Drpcclean.com Related Spyware User Agent (DrPCClean Transmit)"; flow:to_server,established; content:"|0d 0a|User-Agent\: DrPCClean"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007839; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2007839; rev:4;) #errclean.com related, by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Errclean.com Related Spyware User Agent (Locus NetInstaller)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Locus"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007845; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2007845; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Avsystemcare.com Fake AV User Agent (LocusSoftware, NetInstaller)"; flow:to_server,established; content:"|0d 0a|User-Agent\: LocusSoftware, NetInstaller"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008150; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2008150; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS IEDefender (iedefender.com) Fake Antispyware User Agent (IEDefender 2.1)"; flow:established,to_server; content:"User-Agent\: IEDefender "; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007690; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid: 2007690; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Winxpperformance.com Related Spyware User Agent (Microsoft Internet Browser)"; flow:established,to_server; content:"User-Agent\: Microsoft Internet Browser|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007660; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid: 2007660; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS VirusProtectPro Spyware User Agent (VirusProtectPro)"; flow:established,to_server; content:"User-Agent\: VirusProtectPro"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007617; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid: 2007617; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Ufixer.com Fake Antispyware User Agent (Ultimate Fixer)"; flow: established,to_server; content:"User-Agent\: Ultimate Fixer"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007645; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2007645; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vikiller.com Fake Antispyware User Agent (vikiller ctrl...)"; flow: established,to_server; content:"User-Agent\: vikiller ctrl"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007582; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FakeAV; sid:2007582; rev:5;) #by Jaime Blasco at alienvault alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Fast Browser Search)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Fast Browser Search"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010676; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FastBrowserSearch; sid:2010676; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Yourscreen.com Spyware User Agent (FreezeInet)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"FreezeInet"; within:150; pcre:"/User-Agent\:[^\n]+FreezeInet/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003355; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Freeze; sid:2003355; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Freeze.com Spyware User-Agent (YourScreen123)"; flow:to_server,established; content:"User-Agent\: YourScreen"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003405; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Freeze; sid:2003405; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Fun Web Products Spyware User Agent (3)"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"MyWay"; within:150; pcre:"/User-Agent\:[^\n]+MyWay/i"; threshold:type limit, count 1, seconds 360, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2001864; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FunWeb; sid:2001864; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Fun Web Products Spyware User Agent (1)"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"FunWebProducts"; within:150; pcre:"/User-Agent\:[^\n]+FunWebProducts/i"; classtype: trojan-activity; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001855; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_FunWeb; sid:2001855; rev:21;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Grandstreet Interactive Spyware User Agent Activity (1)"; flow: to_server,established; content:"User-Agent\: IEP"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002021; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GSI; sid: 2002021; rev:23;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Gamehouse.com User Agent (GAMEHOUSE.NET.URL)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"GAMEHOUSE"; within:150; pcre:"/User-Agent\:[^\n]+GAMEHOUSE/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003347; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Gamehouse; sid:2003347; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Gamehouse.com Related Spyware User-Agent (Sprout Game)"; flow:to_server,established; content:"User-Agent\: Sprout Game|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003498; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Gamehouse; sid:2003498; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Adsincontext.com Related Spyware User-Agent (Connector v1.2)"; flow: established; content:"User-Agent\: Connector v"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008372; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid:2008372; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Ask.com Toolbar/Spyware User Agent"; flow:established,to_server; content:"User-Agent\:"; nocase; content:"AskPBar"; within:150; pcre:"/User-Agent\:[^\n]+AskPBar/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2006381; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid: 2006381; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS AskSearch Spyware User-Agent (AskSearchAssistant)"; flow:to_server,established; content:"User-Agent\: "; nocase; content:"AskSearch"; distance:0; within:150; pcre:"/User-Agent\:[^\n]+AskSearch/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003493; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid:2003493; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS AskSearch Toolbar Spyware User-Agent (AskBar)"; flow:to_server,established; content:"User-Agent\: "; nocase; content:"AskBar"; within:150; pcre:"/User-Agent\:[^\n]+AskBar/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003496; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid:2003496; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS AskSearch Toolbar Spyware User-Agent (AskTBar)"; flow:to_server,established; content:"User-Agent\: "; nocase; content:"AskTBar"; within:150; pcre:"/User-Agent\:[^\n]+AskTBar/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003494; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid:2003494; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Bestoffersnetwork.com Related Spyware User-Agent (TBONAS)"; flow:to_server,established; content:"User-Agent\: TBONAS|0d 0a|"; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BestOffersNetworks&threatid=43670; reference:url,doc.emergingthreats.net/2003501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid:2003501; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar)"; flow:to_server,established; content:"User-Agent\: Coolstreaming"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003652; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid:2003652; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6)"; flow:to_server,established; content:"User-Agent\: mc_v1"; nocase; reference:url,www.f-secure.com/v-descs/rizo.shtml; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003656; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid:2003656; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Debelizombi.com Spyware User Agent (blahrx)"; flow:established,to_server; content:"User-Agent\: blahrx"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006778; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid:2006778; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Effectivebrands.com Spyware User-Agent (atsu)"; flow:to_server,established; content:"User-Agent\: atsu|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006370; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid:2006370; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Effectivebrands.com Spyware User-Agent (GTBank)"; flow:to_server,established; content:"User-Agent\: GTBank"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003654; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid:2003654; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS HSN.com Toolbar Spyware User-Agent (HSN)"; flow:to_server,established; content:"User-Agent\: "; nocase; content:"HSN"; within:150; pcre:"/User-Agent\:[^\n]+HSN/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003495; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid:2003495; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS klm123.com Spyware User Agent"; flow:established,to_server; content:"User-Agent\: {"; nocase; pcre:"/User-Agent\: \{[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\}/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007616; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid: 2007616; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Mirage.ru Related Spyware User Agent (szNotifyIdent)"; flow:established,to_server; content:"User-Agent\: szNotifyIdent"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006782; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid:2006782; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Popads123.com Related Spyware User Agent (LmaokaazLdr)"; flow:established,to_server; content:"User-Agent\: LmaokaazLdr"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007694; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid: 2007694; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Trafficadvance.net Spyware User-Agent (Internet 1.0)"; flow:to_server,established; content:"User-Agent\: Internet 1."; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003655; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid:2003655; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Unidentified Spyware User Agent (0\:0\:+ 128 chars)"; flow:established,to_server; content:"User-Agent\: 0\:0\:"; nocase; pcre:"/User-Agent\: 0\:0\:[^\x0a|\x0d]{128}/"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007615; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid: 2007615; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Zredirector.com Related Spyware User Agent (BndDriveLoader)"; flow:established,to_server; content:"User-Agent\: BndDriveLoader"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007693; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAdware; sid: 2007693; rev:5;) #by Jaime Blasco alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Trojan.Win32.InternetAntivirus User Agent Detected (General Antivirus)"; flow:to_server,established; content:"|0d 0a|User-Agent\: General Antivirus"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010679; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GeneralAntivrus_FakeAV; sid:2010679; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS UbrenQuatroRusDldr Downloader User Agent (UbrenQuatroRusDldr 096044)"; flow:established,to_server; content:"|0d 0a|User-Agent\: UbrenQuatroRusDldr"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008202; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_General_Downloaders; sid:2008202; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS BndVeano4GetDownldr Downloader User Agent (BndVeano4GetDownldr)"; flow:established,to_server; content:"|0d 0a|User-Agent\: BndVeano4GetDownldr"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008203; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_General_Downloaders; sid:2008203; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Geopia.com Fake Anti-Spyware/AV User Agent (fs3update)"; flow:to_server,established; content:"|0d 0a|User-Agent\: fs3update|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007935; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Geopia; sid:2007935; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Geopia.com Fake Anti-Spyware/AV User Agent (fian3manager)"; flow:to_server,established; content:"|0d 0a|User-Agent\: fian3manager|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007938; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Geopia; sid:2007938; rev:4;) #by Jaime Blasco alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Gootkit hldr)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Gootkit"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010718; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_GootKit; sid:2010718; rev:2;) #by Darren Spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Launcher)"; flow: to_server,established; content:"|0d0a|User-Agent\: Launcher("; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010645; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Gozi; sid:2010645; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Qcbar/Adultlinks Spyware User-Agent (IBSBand)"; flow:to_server,established; content:"User-Agent\: IBSBand-"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006362; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_IBS; sid:2006362; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS IE Toolbar User-Agent (IEToolbar)"; flow:established,to_server; content:"|0d 0a|User-Agent\: IEToolbar"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009766; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_IEToolbar; sid:2009766; rev:5;) #from the sandnet alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS iebar Spyware User Agent (iebar)"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\siebar/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007583; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_IEToolbar; sid: 2007583; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ISearchTech.com XXXPornToolbar Activity (MyApp)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"MyApp"; within:150; pcre:"/User-Agent\:[^\n]+MyApp/i"; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ISearch; sid: 2001492; rev:30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ISearchTech.com XXXPornToolbar Activity (IST)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:" IST"; within:150; pcre:"/User-Agent\:[^\n]+IST/"; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001493; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ISearch; sid: 2001493; rev:31;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS YourSiteBar Activity"; flow: to_server,established; content:"User-Agent\: istsvc|0d 0a|"; nocase; reference:url,www.ysbweb.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001699; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ISearch; sid: 2001699; rev:257;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Infobox3 Spyware User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: InfoBox"; classtype:trojan-activity; sid:2010934; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Movies etc User Agent (IOInstall)"; flow: to_server,established; content:"|0d 0a|User-Agent\: IOInstall"; nocase; reference:url,www.movies-etc.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002404; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_InternetOptimizer; sid:2002404; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Internet Optimizer User Agent (ROGUE)"; flow: to_server,established; content:"|0d 0a|User-Agent\: ROGUE"; nocase; reference:url,www.internet-optimizer.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002405; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_InternetOptimizer; sid:2002405; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Internet Optimizer Activity"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"IOKernel"; within:150; pcre:"/User-Agent\:[^\n]+IOKernel/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001498; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_InternetOptimizer; sid: 2001498; rev:26;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI)"; flow:to_server,established; content:"User-Agent\: SexTrackerWSI"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003627; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_InternetOptimizer; sid:2003627; rev:5;) #by pedro marinho alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32/InternetAntivirus User Agent Detected (Internet Antivirus Pro)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Internet Antivirus"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010218; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Internet_Antivirus_Pro; sid:2010218; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET USER_AGENTS JoltID Agent New Code Download"; flow: established; content:"User-Agent\:"; nocase; content:"PeerEnabler"; within:150; pcre:"/User-Agent\:[^\n]+PeerEnabler/i"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001652; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_JoltID; sid: 2001652; rev:30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS dns-look-up.com Spyware User-Agent (KRSystem)"; flow:to_server,established; content:"User-Agent\: KRSystem"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003625; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KRSystem; sid:2003625; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS No-ad.co.kr Fake AV Related User-Agent (U2Clean)"; flow: established,to_server; content:"|0d 0a|User-Agent\: U2Clean"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2009289; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2009289; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Fake AV User Agent av1-site.info Related (AV1)"; flow: established,to_server; content:"|0d 0a|User-Agent\: AV1"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2009223; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2009223; rev:4;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Viruskill.co.kr Fake AV User-Agent Detected (virus_kill)"; flow:to_server,established; content:"|0d 0a|User-Agent\: virus_kill"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009150; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2009150; rev:3;) #by martin Holste alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS N1 Fake AV User-Agent Detected (N1)"; flow:to_server,established; content:"|0d 0a|User-Agent\: N1|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2009157; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ezday.co.kr Related Spyware User-Agent Detected (Ezshop)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Ezshop"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2008594; rev:4;) #from the sandnet, by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Viruscheck.co.kr Fake Antispyware User Agent (viruscheck ctrl...)"; flow: established,to_server; content:"User-Agent\: viruscheck"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007643; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2007643; rev:6;) #from sandnet analysis alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Mycashbank.co.kr Spyware User Agent (pint_agency)"; flow:established,to_server; content:"User-Agent\: pint_agency"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006413; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2006413; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Platinumreward.co.kr Spyware User Agent (WT_GET_COMM)"; flow:established,to_server; content:"User-Agent\: WT_GET_COMM"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006422; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2006422; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vaccineprogram.co.kr Related Spyware User Agent (Museon)"; flow:established,to_server; content:"User-Agent\: Museon"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006418; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2006418; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vaccineprogram.co.kr Related Spyware User Agent (anycleaner)"; flow:established,to_server; content:"User-Agent\: anycleaner"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2006419; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vaccineprogram.co.kr Related Spyware User Agent (pcsafe)"; flow:established,to_server; content:"User-Agent\: pcsafe"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006420; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2006420; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Doctorvaccine.co.kr Related Spyware User Agent (DoctorVaccine)"; flow:established,to_server; content:"User-Agent\: DoctorVaccine"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006421; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2006421; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Doctorvaccine.co.kr Related Spyware User Agent (ers)"; flow:established,to_server; content:"User-Agent\: ers|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007809; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2007809; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Doctorpro.co.kr Related Spyware User Agent (doctorpro1)"; flow:established,to_server; content:"User-Agent\: doctorpro"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006423; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2006423; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Karine.co.kr Related Spyware User Agent (chk Profile)"; flow:established,to_server; content:"|0d 0a|User-Agent\: chk Profile|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006429; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2006429; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Karine.co.kr Related Spyware User Agent (Access down)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Access down|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006430; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2006430; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus)"; flow:to_server,established; content:"|0d 0a|User-Agent\: PCClear"; reference:url,www.pcclear.com; reference:url,www.pcclear.co.kr; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008198; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2008198; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS vaccine-program.co.kr Related Spyware User Agent (vaccine)"; flow:established,to_server; content:"User-Agent\: vaccine"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008200; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2008200; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS yeps.co.kr Related User Agent (ISecu)"; flow:established,to_server; content:"User-Agent\: ISecu"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008204; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2008204; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS yeps.co.kr Related User Agent (ISUpd)"; flow:established,to_server; content:"User-Agent\: ISUpd"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008205; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2008205; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Nguide.co.kr Fake Security Tool User Agent (nguideup)"; flow:to_server,established; content:"|0d 0a|User-Agent\: nguideup|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007947; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2007947; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Msconfig.co.kr Related User Agent (BACKMAN)"; flow:to_server,established; content:"|0d 0a|User-Agent\: BACKMAN|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007958; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2007958; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Msconfig.co.kr Related User Agent (GLOBALx)"; flow:to_server,established; content:"|0d 0a|User-Agent\: GLOBAL"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007959; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2007959; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Kpang.com Spyware User Agent (auctionplusup)"; flow:to_server,established; content:"|0d 0a|User-Agent\: auctionplusup|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007900; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2007900; rev:4;) #by victor julien alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Searchspy.co.kr Spyware User Agent (HTTPGETDATA)"; flow:to_server,established; content:"|0d 0a|User-Agent\: HTTPGETDATA|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007908; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2007908; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Searchspy.co.kr Spyware User Agent (HTTPFILEDOWN)"; flow:to_server,established; content:"|0d 0a|User-Agent\: HTTPFILEDOWN|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2007909; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Searchspy.co.kr Spyware User Agent (HTTP_FILEDOWN)"; flow:to_server,established; content:"|0d 0a|User-Agent\: HTTP_FILEDOWN|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2007910; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Donkeyhote.co.kr Spyware User Agent (UDonkey)"; flow:to_server,established; content:"|0d 0a|User-Agent\: UDonkey|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007927; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2007927; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Gcashback.co.kr Spyware User Agent (InvokeAd)"; flow:to_server,established; content:"|0d 0a|User-Agent\: InvokeAd|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007928; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_KoreanFakeAV; sid:2007928; rev:4;) #by Jaime Blasco alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Live Enterprise Suite)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Live Enterprise Suite"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010727; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_LiveAntivurusSuite; sid:2010727; rev:2;) #by pedro marinho alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS NewWeb User Agent (Lobo Lunar)"; flow: established,to_server; content:"|0d 0a|User-Agent\: Lobo Lunar"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2009222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Lobo; sid:2009222; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS MalwareWiped.com Spyware User-Agent (MalwareWiped)"; flow:to_server,established; content:"User-Agent\: MalwareWiped"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003582; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Malwarewiped; sid:2003582; rev:6;) #by bgallia alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Adwave/MarketScore User Agent (WTA)"; flow: to_server,established; content:"|0d 0a|User-Agent\: WTA_"; reference:url,www.adwave.com/our_mission.aspx; reference:url,www.marketscore.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002394; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Marketscore; sid:2002394; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS MarketScore.com Spyware User Configuration and Setup Access"; flow: to_server,established; content:"User-Agent\: OSSProxy"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001562; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Marketscore; sid: 2001562; rev:27;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Megaupload Spyware User Agent"; flow:to_server,established; content:"User-Agent\: Megaupload|0d 0a|"; classtype:trojan-activity; reference:url,www.budsinc.com; reference:url,doc.emergingthreats.net/2003224; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Megaupload; sid:2003224; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS TROJAN Metafisher/Goldun z User Agent"; flow:to_server,established; content:"|0d 0a|User-Agent\: z|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002874; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Metafisher; sid:2002874; rev:9;) #Matt Jonkman. Found being used by a goldun variant alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (MSIE XPSP2)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"MSIEXPSP2"; within:150; pcre:"/User-Agent\:[^\n]+MSIE XPSP2/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003200; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Metafisher; sid:2003200; rev:6;) # by: Jeremy Conway at sudosecure.net #ref: 8082ad1a9be4fb87312e2852c1647dd9 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: Microgaming Install Program|0d 0a|"; nocase; within:100; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_151034.htm; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25; reference:url,www.threatexpert.com/reports.aspx?find=mgsmup.com; reference:url,doc.emergingthreats.net/2009783; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Microgaming; sid:2009783; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Mirar Bar Spyware User-Agent (Mbar)"; flow:to_server,established; content:"User-Agent\: Mbar"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003928; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Mirar; sid:2003928; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Mirar Bar Spyware User-Agent (Mirar_Toolbar)"; flow:to_server,established; content:"User-Agent\: Mirar_Toolbar"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003929; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Mirar; sid:2003929; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Mirar Spyware User-Agent (Mirar_KeywordContent)"; flow:to_server,established; content:"User-Agent\: Mirar_KeywordContent|0d 0a|"; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818; reference:url,doc.emergingthreats.net/2003490; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Mirar; sid:2003490; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Miva User Agent (TPSystem)"; flow: to_server,established; content:"|0d 0a|User-Agent\: TPSystem"; nocase; reference:url,www.miva.com; reference:url,www.findwhat.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002395; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Miva; sid:2002395; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Miva Spyware User Agent (Travel Update)"; flow: to_server,established; content:"|0d 0a|User-Agent\: Travel Update|0d 0a|"; reference:url,www.miva.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002396; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Miva; sid:2002396; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Morpheus Spyware Install User-Agent (SmartInstaller)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"SmartInstaller"; within:150; pcre:"/User-Agent\:[^\n]+SmartInstaller/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003398; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Morpheus; sid:2003398; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Msgplus.net Spyware/Adware User-Agent (MsgPlus3)"; flow:to_server,established; content:"User-Agent\: MsgPlus3"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Messenger%20Plus!&threatid=14931; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003529; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MsgPlus; sid:2003529; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS MyWaySearch Products Spyware User Agent"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"MyWay"; within:150; pcre:"/User-Agent\:[^\n]+MyWay/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002079; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MySearch; sid: 2002079; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS MySearch Products Spyware User Agent"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"MySearch"; within:150; pcre:"/User-Agent\:[^\n]+MySearch/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002080; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MySearch; sid: 2002080; rev:14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Enhance My Search Spyware Activity"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"HelperH"; within:100; pcre:"/User-Agent\:[^\n]+HelperH/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001746; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MySearch; sid: 2001746; rev:30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Mysearch.com/Morpheus Bar Spyware User-Agent"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"Morpheus"; within:150; pcre:"/User-Agent\:[^\n]+Morpheus/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003396; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MySearch; sid:2003396; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS searchenginebar.com Spyware User-Agent (RX Bar)"; flow:to_server,established; content:"User-Agent\: RX Bar"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003407; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MySearch; sid:2003407; rev:6;) #by Shirkdog alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Mysearch.com Spyware User-Agent (iMeshBar)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"iMeshBar"; within:150; pcre:"/User-Agent\:[^\n]+iMeshBar/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003406; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MySearch; sid:2003406; rev:6;) #by jaime blasco alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spyware google-analitid181.com related user agent (My Session)"; flow:to_server,established; content:"|0d 0a|User-Agent\: My Session"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MySession; sid:2010677; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS MyWebSearch Spyware User Agent"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"MyWebSearch"; within:150; pcre:"/User-Agent\:[^\n]+MyWebSearch/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001865; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_MyWeb; sid: 2001865; rev:21;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS TROJAN Nanspy User-Agent (XXX)"; flow:established,to_server; content:"|0d 0a|User-Agent\: XXX"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2010157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Nanspy; sid:2010157; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS NavExcel Spyware User-Agent (NavHelper)"; flow:to_server,established; content:"User-Agent\: NavHelper"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2005321; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Navhelper; sid:2005321; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS NewWeb/Sudui.com Spyware User Agent (B Register)"; flow:established,to_server; content:"User-Agent\: B Register"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_NewWeb; sid: 2007597; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS NewWeb/Sudui.com Spyware User Agent (updatesodui)"; flow:established,to_server; content:"User-Agent\: updatesodui"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007598; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_NewWeb; sid: 2007598; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS NewWeb/Sudui.com Spyware User Agent (aaaabbb)"; flow:established,to_server; content:"User-Agent\: aaaabbb"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007599; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_NewWeb; sid: 2007599; rev:5;) #by Shirkdog, from spyware lp hits alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Oemji Spyware User-Agent (Oemji)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"Oemji"; within:150; pcre:"/User-Agent\:[^\n]+Oemji/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003468; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Oemji; sid:2003468; rev:6;) #by m starkey alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS OneStep Adware related User Agent (x)"; flow:established,to_server; content:"|0d 0a|User-Agent\: x|0d 0a|"; nocase; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2; reference:url,doc.emergingthreats.net/2009987; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Onestep; sid:2009987; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Personalweb Spyware User-Agent (PWMI/1.0)"; flow:to_server,established; content:"User-Agent\: PWMI/"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003926; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_PWMI; sid:2003926; rev:5;) #by evilghost #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS pangolin SQL injection tool"; flow:established,to_server; content:"|0d 0a|User-Agent\: pangolin"; classtype:web-application-activity; reference:url,www.lifedork.net/pangolin-best-sql-injection-tool.html; reference:url,doc.emergingthreats.net/2010343; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Pangolin; sid:2010343; rev:2;) #by pedro marinho alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Pivim Multibar User-Agent (Pivim Multibar)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Pivim"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009765; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Pivim; sid:2009765; rev:5;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg)"; flow:established,to_server; content:"|0d 0a|User-Agent\: PopupBlockade"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008894; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_PopupBlockade; sid:2008894; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Privacyprotector Related Spyware User-Agent (Ssol NetInstaller)"; flow:to_server,established; content:"User-Agent\: Ssol NetInstaller"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008040; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_PrivacyProtector; sid:2008040; rev:4;) #from castlecops research alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Adload.Generic Spyware User-Agent (ProxyDown)"; flow:to_server,established; content:"User-Agent\: ProxyDown"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003639; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Proxydown; sid:2003639; rev:5;) #from sandnet analysis alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS QQHelper related Spyware User-Agent (H)"; flow:to_server,established; content:"User-Agent\: H|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_QQ; sid:2003749; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS qq.com related Spyware User-Agent (QQGame)"; flow:to_server,established; content:"User-Agent\: QQGame"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003658; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_QQ; sid:2003658; rev:5;) # by: Jeremy Conway at sudosecure.net #ref: 95084b2cd0b845e26fd177856d6e6319 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Qvod"; nocase; classtype:trojan-activity; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_QVOD; sid:2009785; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Rf-cheats.ru Trojan Related User-Agent (RFRudokop v.1.1 [account verification])"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| RFRudokop "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_RF; sid:2008046; rev:4;) #by Eoin Miller alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: Releasexp|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009796; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ReleaseXP; sid:2009796; rev:4;) # ref: 08e90268f52d942927c9f89fc9b796fb alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS AV2010 Rogue Security Application User-Agent (AV2010)"; flow:to_server,established; content:"|0d 0a|User-Agent\: AV2010|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008656; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_RogueAV; sid:2008656; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Shop at Home Select Spyware Activity (Bundle)"; flow: established,to_server; content:"User-Agent\: Bundle"; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001702; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SAHSelect; sid: 2001702; rev:33;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Shop at Home Select Spyware Activity (SAH)"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"SAH Agent"; within:150; pcre:"/User-Agent\:[^\n]+SAH Agent/i"; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001707; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SAHSelect; sid: 2001707; rev:30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Shopathomeselect.com Spyware User Agent Activity"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"WebDownloader"; within:150; pcre:"/User-Agent\:[^\n]+WebDownloader/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002038; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SAHSelect; sid: 2002038; rev:244;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Search Engine 2000 Spyware User Agent"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"searchengine"; within:100; pcre:"/User-Agent\:[^\n]+searchengine/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001867; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SearchEngine2000; sid: 2001867; rev:21;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Generic.Malware.dld User-Agent (Sickloader)"; flow:to_server,established; content:"User-Agent\: Sickloader"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003644; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Sickloader; sid:2003644; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS SideStep Spyware User Agent Activity"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"SideStep"; within:150; pcre:"/User-Agent\:[^\n]+SideStep/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002078; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SideSearch; sid: 2002078; rev:24;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Sidesearch Spyware User Agent"; flow: established,to_server; content:"User-Agent\: Sidesearch"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001869; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SideSearch; sid: 2001869; rev:23;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Sidebar Related Spyware User Agent (Sidebar Client)"; flow:established,to_server; content:"User-Agent\: Sidebar"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008201; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SideSearch; sid:2008201; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Smileware Connection Spyware Related User-Agent (Smileware Connection)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Smileware"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Smileware; sid:2008892; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Sogoul.com Spyware User-Agent (SogouIMEMiniSetup)"; flow:established,to_server; content:"|0d 0a|User-Agent\: SogouIME"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Sogou; sid:2008500; rev:4;) #by Jaime Blacso with alienvault alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (SogouExplorerMiniSetup)"; flow:to_server,established; content:"|0d 0a|User-Agent\: SogouExplorerMiniSetup"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SogouExplorer; sid:2010675; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS SpamBlockerUtility Fake Anti-Spyware User Agent (SpamBlockerUtility x.x.x)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"SpamBlockerUtility "; within:150; pcre:"/User-Agent\:[^\n]+SpamBlockerUtility \d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003384; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SpamBlockerUtility; sid:2003384; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Speed-runner.com Fake Speed Test User-Agent (SRInstaller)"; flow:to_server,established; content:"|0d 0a|User-Agent\: SRInstaller|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008145; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Speedrunner; sid:2008145; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Speed-runner.com Fake Speed Test User-Agent (SpeedRunner)"; flow:to_server,established; content:"|0d 0a|User-Agent\: SpeedRunner|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008146; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Speedrunner; sid:2008146; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Speed-runner.com Fake Speed Test User-Agent (SRRecover)"; flow:to_server,established; content:"|0d 0a|User-Agent\: SRRecover|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008151; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Speedrunner; sid:2008151; rev:4;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS iDownloadAgent Spyware User Agent"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"iDownloadAgent"; within:150; pcre:"/User-Agent\:[^\n]+iDownloadAgent/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002739; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SpyAxe; sid:2002739; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spyaxe Spyware User Agent"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"spyaxe"; within:150; pcre:"/User-Agent\:[^\n]+spyaxe/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002807; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SpyAxe; sid:2002807; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spyaxe Spyware User Agent 2"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"spywareaxe"; within:150; pcre:"/User-Agent\:[^\n]+spywareaxe/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002808; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SpyAxe; sid:2002808; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS SpyDawn.com Fake Anti-Spyware User-Agent (SpyDawn)"; flow:to_server,established; content:"User-Agent\: SpyDawn|0d 0a|"; nocase; classtype:trojan-activity; reference:url,www.spywareguide.com/spydet_3366_spydawn.html; reference:url,doc.emergingthreats.net/2003499; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Spydawn; sid:2003499; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer)"; flow:to_server,established; content:"User-Agent\: SpyHeal"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003399; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Spyhealer; sid:2003399; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spylocked Fake Anti-Spyware User-Agent (SpyLocked)"; flow:to_server,established; content:"User-Agent\: SpyLocked"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2005322; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Spylocked; sid:2005322; rev:5;) #from spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Statblaster.com Spyware User-Agent (fetcher)"; flow:to_server,established; content:"User-Agent\: fetcher|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2005318; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Statblaster; sid:2005318; rev:5;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS STEROID Download User-Agent, possible trojan infection"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| STEROID Download|0D 0A|"; nocase; classtype:trojan-activity; reference:url,anubis.iseclab.org/?action=result&task_id=17b118a86edba30f4f588db66eaf55d10; reference:url,security.thejoshmeister.com/2009/09/new-malware-ddos-botexe-etc-and.html; reference:url,doc.emergingthreats.net/2009994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Steroid; sid:2009994; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS SureSeeker Spyware User Agent"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"sureseeker"; within:150; pcre:"/User-Agent\:[^\n]+sureseeker\.com/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001868; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SureSeeker; sid: 2001868; rev:22;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Surfplayer Spyware User Agent"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"SurferPlugin"; within:150; pcre:"/User-Agent\:[^\n]+SurferPlugin/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001870; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_SurfPlayer; sid: 2001870; rev:21;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (agent)"; flow: to_server,established; content:"|0d 0a|User-Agent\: agent"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001891; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid: 2001891; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\: Microsoft Internet Explorer"; content:!"bbc.co.uk"; nocase; content:!"microsoft.com"; nocase; content:!"vmware.com"; nocase; content:!"msn.com"; nocase; content:!"msnbc.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002400; rev:21;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Spyware Related User Agent (UtilMind HTTPGet)"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"UtilMind HTTPGet"; within:150; pcre:"/User-Agent\:[^\n]+UtilMind HTTPGet/i"; content:!"Host\: www.blueocean.com"; nocase; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.websearch.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2002402; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Informer from RBC)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"Informer from RBC"; within:150; pcre:"/User-Agent\:[^\n]+Informer from RBC/i"; classtype:trojan-activity; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003205; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003205; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Download Agent) Possibly Related to TrinityAcquisitions.com"; flow:to_server,established; content:"User-Agent\: Download Agent"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003243; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003243; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Autoupdate)"; flow:to_server,established; content:"User-Agent\: Autoupdate"; nocase; content:!"Host\: update.nai.com"; nocase; content:!"McAfeeAutoUpdate"; nocase; content:!"nokia.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003337; rev:10;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS User Agent Containing http\:// - Suspicious - Likely Spyware/Trojan"; flow:to_server,established; content:"User-Agent\:"; nocase; content:!"rss"; nocase; pcre:"/User-Agent\:[^\n]+http\:\/\//i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003394; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003394; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Toolbar) Possibly Malware/Spyware"; flow:to_server,established; content:"User-Agent\: Toolbar"; content:!"cf.icq.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003463; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003463; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ms)"; flow:to_server,established; content:"User-Agent\: ms|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003497; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Misspelled Mozilla User-Agent (Mozila/4.0...)"; flow:to_server,established; content:"User-Agent\: Mozila/4.0"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003491; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003491; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003492; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/5.0|0d 0a|"; nocase; uricontent:!"|0d 0a|Host\: download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection\: Close|0d 0a 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; sid:2009295; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent Inbound - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/5.0|0d 0a|"; nocase; classtype:trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; reference:url,doc.emergingthreats.net/2010908; sid:2010908; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent\: MOzilla/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003513; rev:7;) #Pluses in a UA, suspicious as well alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+)"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0+(compatible\;+MSIE+/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003530; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003530; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent\: downloader"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003546; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (DIALER)"; flow:to_server,established; content:"User-Agent\: DIALER"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003566; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003566; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (update)"; flow:to_server,established; content:"User-Agent\: update|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003583; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003583; rev:6;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Updater)"; flow:to_server,established; content:"User-Agent\: Updater"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003584; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003584; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Windows Updates Manager)"; flow:to_server,established; content:"User-Agent\: Windows Updates Manager"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003585; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003585; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (WinXP Pro Service Pack 2)"; flow:to_server,established; content:"User-Agent\: WinXP Pro Service Pack 2"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003586; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003586; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent outbound (bot)"; flow:to_server,established; content:"User-Agent\: bot/"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003622; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003622; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Double User-Agent (User-Agent\: User-Agent\: )"; flow:to_server,established; content:"User-Agent\: User-Agent\: "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003626; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: MSIE"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003657; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (HTTPTEST) - Seen used by downloaders"; flow:to_server,established; content:"User-Agent\: HTTPTEST"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003927; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003927; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Snatch-System)"; flow:to_server,established; content:"User-Agent\: Snatch-System"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003930; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2003930; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS KKtone Suspicious User-Agent (KKTone)"; flow:to_server,established; content:"User-Agent\: KKTone"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2004443; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2004443; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (MyAgent)"; flow:to_server,established; content:"User-Agent\: MyAgent"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2005320; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2005320; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Likely Spyware (Starts with a bracket, contains a pipe or underscore)"; flow:to_server,established; content:"User-Agent\: SpyLocked"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2005323; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2005323; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Likely Webhancer Related Spyware (TEST)"; flow:to_server,established; content:"User-Agent\: TEST|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006357; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2006357; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Likely Webhancer Related Spyware (Huai_Huai)"; flow:to_server,established; content:"User-Agent\: Huai_Huai|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006361; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2006361; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (MYURL)"; flow:to_server,established; content:"User-Agent\: MYURL|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006365; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2006365; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (006)"; flow:established,to_server; content:"User-Agent\: 00"; pcre:"/User-Agent\: 00\d+\x0d\x0a/"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006388; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid: 2006388; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Dummy)"; flow: established,to_server; content:"User-Agent\: Dummy"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007570; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Likely 2squared.com related (AntiSpyware)"; flow: established,to_server; content:"User-Agent\: AntiSpyware"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007575; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Spyware User Agent (XXX)"; flow:established,to_server; content:"User-Agent\: XXX|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007648; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid: 2007648; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Spyware User Agent (QdrBi Starter)"; flow:established,to_server; content:"User-Agent\: QdrBi Starter|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007659; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid: 2007659; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Spyware Related User Agent (install_s)"; flow:established,to_server; content:"User-Agent\: install_"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007666; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid: 2007666; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Spyware Related User Agent (count)"; flow:established,to_server; content:"User-Agent\: count|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007667; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid: 2007667; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Internet Explorer (compatible))"; flow:to_server,established; content:"|0d 0a|User-Agent\: Internet Explorer (compatible)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007772; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007772; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Possible Spyware Related (Mozilla)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007854; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007854; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (microsoft)"; flow:to_server,established; content:"|0d 0a|User-Agent\: microsoft|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007859; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007859; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Internet Explorer 6.0|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007860; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007860; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Firefox)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Firefox|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007868; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007868; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Example)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Example|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007884; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007884; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (downloader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: downloader|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007885; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (HTTP_CONNECT)"; flow:to_server,established; content:"|0d 0a|User-Agent\: HTTP_CONNECT|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007899; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007899; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Explorer)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Explorer|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007921; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007921; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible\; ))"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; )|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007929; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007929; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (_)"; flow:to_server,established; content:"|0d 0a|User-Agent\: _|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007942; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007942; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (HTTP)"; flow:to_server,established; content:"|0d 0a|User-Agent\: HTTP|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007943; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (popup)"; flow:to_server,established; content:"|0d 0a|User-Agent\: popup|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007946; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007946; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (double dashes)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |2d 2d 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007948; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007948; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Unknown)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Unknown|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007991; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007991; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (2 spaces)"; flow:to_server,established; content:"|0d 0a|User-Agent\:|32 32 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007993; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007993; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (1 space)"; flow:to_server,established; content:"|0d 0a|User-Agent\: |0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007994; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Internet)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Internet|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008013; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008013; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Win95)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Win95"; within:150; pcre:"/User-Agent\:[^\n]+Win95/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008015; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008015; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Mozilla/4.0 (compatible\; ICS))"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| ICS)"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008038; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008038; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (c\:\windows)"; flow:to_server,established; content:"User-Agent\: c|3a 5c|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008043; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008043; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Version 1.23)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Version "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008048; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008048; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Internet Explorer)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Internet Explorer|0d 0a|"; content:!"|0d0a|Host\: pnrws.skype.com|0d0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008052; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008052; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Blank User-Agent (descriptor but no string)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008066; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008066; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (App4)"; flow:to_server,established; content:"|0d 0a|User-Agent\: App"; pcre:"/User-Agent\: App\d+/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008073; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008073; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla-web)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla-web"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008084; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008084; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (INSTALLER)"; flow:to_server,established; content:"|0d 0a|User-Agent\: INSTALLER|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008096; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008096; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (IEMGR)"; flow:to_server,established; content:"|0d 0a|User-Agent\: IEMGR|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008097; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008097; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (GOOGLE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: GOOGLE|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008098; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008098; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (RBR)"; flow:to_server,established; content:"|0d 0a|User-Agent\: RBR|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008147; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008147; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (MS Internet Explorer)"; flow:to_server,established; content:"|0d 0a|User-Agent\: MS Internet Explorer|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008181; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008181; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Installer)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Installer|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008184; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008184; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (QQ)"; flow:to_server,established; content:"|0d 0a|User-Agent\: QQ|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008199; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008199; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (TestAgent)"; flow:to_server,established; content:"|0d 0a|User-Agent\: TestAgent|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008208; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008208; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (SERVER2_03)"; flow:to_server,established; content:"|0d 0a|User-Agent\: SERVER"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008209; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008209; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Misspelled Mozilla User-Agent (Mozila)"; flow:to_server,established; content:"User-Agent\: Mozila"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008210; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008210; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (WinProxy)"; flow:to_server,established; content:"|0d 0a|User-Agent\: WinProxy|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008211; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008211; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (sickness29a/0.1)"; flow:to_server,established; content:"|0d 0a|User-Agent\: sickness"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008214; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008214; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (up2dash updater)"; flow:to_server,established; content:"|0d 0a|User-Agent\: up2dash"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008215; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008215; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (NSIS_DOWNLOAD)"; flow:to_server,established; content:"|0d 0a|User-Agent\: NSIS_DOWNLOAD"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008216; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008216; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla 1.02.45 biz)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla "; content:" biz|0d 0a|"; within:15; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008231; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008231; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (chek)"; flow:to_server,established; content:"|0d 0a|User-Agent\: chek|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008253; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008253; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (IE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: IE|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008255; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Nimo Software HTTP Retriever 1.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Nimo Software HTTP"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008257; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008257; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (AutoHotkey)"; flow:to_server,established; content:"|0d 0a|User-Agent\: AutoHotkey"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008259; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008259; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (WebForm 1)"; flow:to_server,established; content:"|0d 0a|User-Agent\: WebForm"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008262; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (opera)"; flow:to_server,established; content:"|0d 0a|User-Agent\: opera|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008264; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008264; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Zilla)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Zilla|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008266; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:" loader"; distance:0; within:100; pcre:"/User-Agent\:[^\n]+loader/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008276; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla Version User-Agent (Mozila/4.5)"; flow:to_server,established; content:"User-Agent\: Mozila/4.5|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008293; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008293; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ld)"; flow:to_server,established; content:"|0d 0a|User-Agent\: ld|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008342; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008342; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (123)"; flow:to_server,established; content:"|0d 0a|User-Agent\: 123|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008343; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008343; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (DownloadNetFile)"; flow:to_server,established; content:"|0d 0a|User-Agent\: DownloadNetFile|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008344; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008344; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (angel)"; flow:to_server,established; content:"|0d 0a|User-Agent\: angel|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008355; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008355; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Accessing)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Accessing|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008361; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008361; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ISMYIE)"; flow:to_server,established; content:"|0d 0a|User-Agent\: ISMYIE|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008363; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008363; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Playtech Downloader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Playtech "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008365; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008365; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (InetURL)"; flow:established,to_server; content:"|0d 0a|User-Agent\: InetURL"; content:!"www.dell.com"; content:!"pdfmachine.com"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008374; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ErrCode)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ErrCode|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008378; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008378; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (svchost)"; flow:established,to_server; content:"|0d 0a|User-Agent\: svchost"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008391; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008391; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ReadFileURL)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ReadFileURL|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008400; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (PcPcUpdater)"; flow:established,to_server; content:"|0d 0a|User-Agent\: PcPcUpdater"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008413; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008413; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Inet_read)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Inet_read"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008422; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008422; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (CFS Agent)"; flow:established,to_server; content:"|0d 0a|User-Agent\: CFS Agent"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008423; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008423; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (CFS_DOWNLOAD)"; flow:established,to_server; content:"|0d 0a|User-Agent\: CFS_DOWNLOAD"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008424; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008424; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (HTTP Downloader)"; flow: established,to_server; content:"|0d 0a|User-Agent\: HTTP Downloader"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008428; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008428; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (AdiseExplorer)"; flow:established,to_server; content:"|0d 0a|User-Agent\: AdiseExplorer"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008427; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008427; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (HttpDownload)"; flow:established,to_server; content:"|0d 0a|User-Agent\: HttpDownload"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008429; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008429; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Download App)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Download App"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008440; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (hacker)"; flow:established,to_server; content:"|0d 0a|User-Agent\: hacker"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008460; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008460; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ieguideupdate)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ieguideupdate"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008463; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008463; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (adsntD)"; flow:established,to_server; content:"|0d 0a|User-Agent\: adsntD"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008464; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (NULL)"; flow:established,to_server; content:"|0d 0a|User-Agent\: NULL"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008488; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008488; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"|0d 0a|User-Agent\: dwplayer"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008489; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (ieagent)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ieagent"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008494; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008494; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (antispyprogram)"; flow:established,to_server; content:"|0d 0a|User-Agent\: antispyprogram"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008495; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008495; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (SUiCiDE/1.5)"; flow:established,to_server; content:"|0d 0a|User-Agent\: SUiCiDE"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008504; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (\xa2\xa2HttpClient)"; flow:established,to_server; content:"|0d 0a|User-Agent\: |5c|xa2|5c|xa2HttpClient|0d 0a|"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008510; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008510; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (C\:\\)"; flow:established,to_server; content:"|0d 0a|User-Agent\: C\:\\"; content:!"\\Citrix\\ICA Client\\"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008512; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008512; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (msIE 7.0)"; flow:established,to_server; content:"|0d 0a|User-Agent\: msIE"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008513; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (AVP2006IE)"; flow:established,to_server; content:"|0d 0a|User-Agent\: AVP200"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008514; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008514; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (winlogon)"; flow:established,to_server; content:"|0d 0a|User-Agent\: winlogon"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008544; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008544; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Internet HTTP"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008564; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008564; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (Windows+NT)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Windows+NT"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008600; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008600; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (RLMultySocket)"; flow:established,to_server; content:"|0d 0a|User-Agent\: RLMultySocket|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008603; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008603; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (Downloader1.2)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Downloader"; pcre:"/User-Agent\: Downloader\d+\.\d/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008643; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008643; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (Compatible)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Compatible|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008657; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (GetUrlSize)"; flow:established,to_server; content:"|0d 0a|User-Agent\: GetUrlSize|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008658; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008658; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (DigitAl56K/6.3)"; flow:established,to_server; content:"|0d 0a|User-Agent\: DigitAl56K/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008659; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008659; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (aguarovex-loader v3.221)"; flow:established,to_server; content:"|0d 0a|User-Agent\: aguarovex-loader v"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008663; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008663; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0)"; flow:established,to_server; content:"|0d 0a|User-Agent\: WINS_HTTP_SEND"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008734; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008734; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (FTP)"; flow: to_server,established; content:"|0d 0a|User-Agent\: Ftp|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008735; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008735; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Possible Admoke Admware (bdwinrun)"; flow: to_server,established; content:"|0d 0a|User-Agent\: bdwinrun"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008742; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008742; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Possible Admoke Admware (bdsclk)"; flow: to_server,established; content:"|0d 0a|User-Agent\: bdsclk"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008743; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008743; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (checkonline)"; flow:established,to_server; content:"|0d 0a|User-Agent\: checkonline|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008749; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Kvadrlson 1.0)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Kvadrlson "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008756; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008756; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (miip)"; flow:established,to_server; content:"|0d 0a|User-Agent\: miip|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008797; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008797; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Mozil1a)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozil1a"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008847; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008847; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Errordigger.com related)"; flow:established,to_server; content:"|0d 0a|User-Agent\: min|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008912; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008912; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Trojan.Hijack.IrcBot.457 related)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/1.0 (compatible\; MSIE 8.0\;"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008913; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008913; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (xr - Worm.Win32.VB.cj related)"; flow:established,to_server; content:"|0d 0a|User-Agent\: xr|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008914; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008914; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (HELLO)"; flow:established,to_server; content:"|0d 0a|User-Agent\: HELLO|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008941; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008941; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Yandesk)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Yandesk|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008916; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008916; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent pricers.info related (section)"; flow:established,to_server; content:"|0d 0a|User-Agent\: sections|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008919; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008919; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (IE/1.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: IE/1.0|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008956; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008956; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (User-Agent\: Mozilla/4.0 (compatible))"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008974; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (BlackSun)"; flow:to_server,established; content:"|0d 0a|User-Agent\: BlackSun"; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008983; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2008983; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (IE_6.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: IE_6.0"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2009021; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009021; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (FileDownloader)"; flow:to_server,established; content:"|0d 0a|User-Agent\: FileDownloader"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2009027; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009027; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (get_site1)"; flow:to_server,established; content:"|0d 0a|User-Agent\: get_site"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009111; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009111; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (GETJOB)"; flow:to_server,established; content:"|0d 0a|User-Agent\: GETJOB"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009124; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (runUpdater.html)"; flow:established,to_server; content:"|0d 0a|User-Agent\: runUpdater|2e|html"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009355; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009355; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (runPatch.html)"; flow:established,to_server; content:"|0d 0a|User-Agent\: runPatch|2e|html"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009356; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009356; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Mozilla/4.8 [ru])"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.8 [ru] (Windows NT 6.0\; U)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009438; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (HelpSrvc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: HelpSrvc|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009439; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009439; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Internet Antivirus Pro)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Internet Antivirus Pro|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009440; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Possibly Xema (AgavaDwnl)"; flow:established,to_server; content:"|0d 0a|User-Agent\: AgavaDwnl|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009445; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Macrovision_DM)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Macrovision_DM"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009446; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (ClickAdsByIE)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ClickAdsByIE"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009456; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Downloader User-Agent (Windows+NT+5.1)"; flow:established,to_server; content:"|0D 0A|User-Agent\:"; content:"Windows+NT+5.1|0D 0A|"; within:128; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009486; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009486; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Session) - Possible Trojan-Clicker"; flow:established,to_server; content:"|0d 0a|User-Agent\: Session|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009512; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009512; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Poker)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Poker|0d 0a|"; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009534; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009534; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Loands) - Possible Trojan Downloader GET Request"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: Loands|0d 0a|"; nocase; depth:200; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009537; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009537; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (ms_ie) - Crypt.ZPACK Gen Trojan Downloader GET Request"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: ms_ie|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009538; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (PCFlashBangA)"; flow:to_server,established; content:"|0d 0a|User-Agent\: PCFlashBangA|0d 0a|"; classtype:trojan-activity; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113169; reference:url,doc.emergingthreats.net/2009540; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009540; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Forthgoner) - Possible Trojan Downloader GET Request"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: Forthgoner|0d 0a|"; nocase; depth:200; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009547; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009547; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (InHold) - Possible Trojan Downloader GET Request"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: InHold|0d 0a|"; nocase; depth:200; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009544; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009544; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (_TEST_)"; flow: to_server,established; content:"|0d0a|User-Agent\: _TEST_"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009545; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009545; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (INet)"; flow:established,to_server; content:"|0d 0a|User-Agent\: INet|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009703; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009703; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009867; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009867; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS PinBall Corp. Related suspicious activity"; flow:established,to_server; content:"|0d 0a|User-Agent\: PinBallCorp-BSAI"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009908; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009908; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent - Likely Hostile (User Agent)"; flow:established,to_server; content:"|0d 0a|User-Agent\: User Agent"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009930; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009930; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (MyIE/1.0)"; flow:established,to_server; content:"|0d 0a|User-Agent\: MyIE/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009991; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009991; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (ONANDON)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ONANDON|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009995; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2009995; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Fake Wget User Agent - Likely Hostile (wget 3.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: wget 3.0|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007961; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007961; rev:6;) #by Jaime Blasco alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS TROJAN Drop.Agent.bfsv HTTP Activity (UsER-AgENt)"; flow:established,to_server; content:"GeT "; depth:4; content:"HttP"; depth:200; content:"|0d 0a|HoST\: "; content:"|0d 0a|UsER-AgENt\: |0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010129; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010129; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious HTTP Request with empty User Agent"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\:|20 0D 0A|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010130; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010130; rev:2;) #by jerry at cybercave alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Sme32)"; flow: established, to_server; content:"|0d 0a|User-Agent\: Sme32|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010137; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010137; rev:2;) #by Bojan alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (M0zilla)"; flow:established,to_server; content:"|0d 0a|User-Agent|3A 20|M0zilla/4.0|20|(compatible)"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010265; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010265; rev:2;) #by darren spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (CrazyBro)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| CrazyBro"; nocase; classtype:trojan-activity; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934; reference:url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7; reference:url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html; reference:url,doc.emergingthreats.net/2010333; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010333; rev:3;) #matt jonkman, general downloader ua alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ie)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ie|0d 0a|"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007827; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2007827; rev:5;) #by Deapesh Misra alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious UA string (MSIE7 an)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 7.0\; na\; )"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010461; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010461; rev:2;) #by jerry alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (???)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ???"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010595; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010595; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent Mozilla/3.0"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Internet Explorer)"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010599; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010599; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent WebUpdate"; flow:established,to_server; content:"|0d 0a|User-Agent\: WebUpdate|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010600; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010600; rev:1;) #by evilghost #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:!"|0d 0a|User-Agent\: Mozilla/"; pcre:"/\x0d\x0aUser-Agent\: \d\d\d/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010697; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010697; rev:3;) #by Waldo kitty alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Incorrectly formatted User-Agent string (dashes instead of semicolons) Likely Hostile"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible- MSIE 6.0- Windows NT 5.1- SV1- "; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2010868; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010868; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Fake Mozilla UA on Forum Registration Spambot Inbound"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/0.6 Beta (Windows)|0d 0a|"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2010904; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010904; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Fake Mozilla UA on Forum Registration Spambot Outbound"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/0.6 Beta (Windows)|0d 0a|"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2010905; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010905; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible|3b| "; content:!")|0d 0a|"; distance:0; pcre:"/\(compatible[^\)]+\n/"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2010906; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Suspicious; sid:2010906; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Target Saver Spyware User Agent"; flow: established,to_server; content:"|0d 0a|User-Agent\: TSA/"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001871; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_TargetSaver; sid: 2001871; rev:20;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS TryMedia Spyware User Agent (TryMedia_DM_2.0.0)"; flow:established,to_server; content:"User-Agent\: TryMedia_DM_"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007600; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_TryMedia; sid: 2007600; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS UCMore Spyware Activity"; flow: to_server,established; content:"User-Agent\:"; nocase;content:"UCmore"; within:150; pcre:"/User-Agent\:[^\n]+UCmore/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001736; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_UCMore; sid: 2001736; rev:266;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS UCMore Spyware Activity User Agent String"; flow: to_server,established; content:"|0d 0a|User-Agent\: EI|0d 0a|"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001996; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_UCMore; sid: 2001996; rev:12;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Ultimate HAckerz Team User-Agent - Likely Trojan Report"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1\; Made by UltimateHackerzTeam)"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_UltimateHackerz; sid:2010346; rev:2;) #by jeffrey brown alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS www.vaccinekiller.com Related Spyware User Agent (VaccineKillerIU)"; flow:established,to_server; content:"|0d 0a|User-Agent\: VaccineKiller"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009993; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Vaccine; sid:2009993; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Visicom Spyware User Agent"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"Visicom"; within:150; pcre:"/User-Agent\:[^\n]+Visicom/i"; threshold: type limit, count 1, seconds 360, track by_src; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001872; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Visicom; sid: 2001872; rev:23;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vombanetwork Spyware User Agent (VombaProductsInstaller)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Vomba"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007869; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Vomba; sid:2007869; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Webbuying.net Spyware Install User-Agent (wbi_v0.90)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"wbi_v"; within:150; pcre:"/User-Agent\:[^\n]+wbi_v\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003441; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Webbuying; sid:2003441; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Webbuying.net Spyware Install User-Agent 2 (wb v1.6.4)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"wb v"; within:150; pcre:"/User-Agent\:[^\n]+wb v\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003449; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Webbuying; sid:2003449; rev:6;) #by markus manzke # Proxy-Scanner - 2 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SERVER Open-Proxy ScannerBot (webcollage-UA) "; flow:established,to_server; content:"|0d 0a|User-Agent|3a| webcollage/1.135a"; nocase; classtype:bad-unknown; reference:url, stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; reference:url,doc.emergingthreats.net/2010768; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Webcollage; sid:2010768; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win-touch.com Spyware User Agent (WTRecover)"; flow:established,to_server; content:"User-Agent\: WTRecover"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2006392; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Win-Touch; sid: 2006392; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win-touch.com Spyware User Agent (WTInstaller)"; flow:established,to_server; content:"User-Agent\: WTInstaller"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2006393; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Win-Touch; sid: 2006393; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win-touch.com Spyware User Agent (WinTouch)"; flow:established,to_server; content:"User-Agent\: WinTouch"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2008141; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Win-Touch; sid: 2008141; rev:4;) #by Jaime Blasco alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Tdss User Agent Detected (Mozzila)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozzila"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010889; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Win32.tdss; sid:2010889; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS WinButler User-Agent (WinButler)"; flow:to_server,established; content:"|0d 0a|User-Agent\: WinButler|0d 0a|"; reference:url,www.winbutler.com; reference:url,www.prevx.com/filenames/239975745155427649-0/WINBUTLER.EXE.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008190; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_WinButler; sid:2008190; rev:4;) #Matt Jonkman, from spyware lp data and Castlecops alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster)"; flow:to_server,established; content:"User-Agent\: WinFixMaster"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003544; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Winfix; sid:2003544; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master)"; flow:to_server,established; content:"User-Agent\: WinFixMaster"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003545; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Winfix; sid:2003545; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Winsoftware.com Fake AV User-Agent (DNS Extractor)"; flow:to_server,established; content:"User-Agent\: DNS Extractor"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Winfix; sid:2003567; rev:6;) #Matt Jonkman, from spywarelp data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Winsoftware.com Spyware User-Agent (Updater)"; flow:to_server,established; content:"User-Agent\: Updater|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Winfix; sid:2003470; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; content:"User-Agent\: WinSoftware"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003527; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Winsoftware; sid:2003527; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS WinSoftware.com Spyware User-Agent (NetInstaller)"; flow:to_server,established; content:"User-Agent\: NetInstaller"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003528; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Winsoftware; sid:2003528; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS XupiterToolbar Spyware User Agent Activity"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"XupiterToolbar"; within:150; pcre:"/User-Agent\:[^\n]+XupiterToolbar/i"; classtype: trojan-activity; reference:url,castlecops.com/tk781-Xupitertoolbar_dll_t_dll.html; reference:url,doc.emergingthreats.net/2002071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Xupiter; sid: 2002071; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Hotbar Spyware User Agent"; flow: established,to_server; content:"User-Agent\:"; nocase; content:"Hotbar"; within:150; pcre:"/User-Agent\:[^\n]+Hotbar/i"; threshold: type limit, count 1, seconds 360, track by_src; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001858; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zango_Hotbar; sid:2001858; rev:22;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Hotbar Spyware User-Agent"; flow: to_server,established; content:"User-Agent\: host"; nocase; pcre:"/User-Agent\:[^\n]+host(ie|oe|oi|ol)/i"; reference:url,www.doxdesk.com/parasite/Hotbar.html; reference:url,www.pchell.com/support/hotbar.shtml; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002164; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zango_Hotbar; sid:2002164; rev:10;) #Matt Jonkman, From spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Zango-Hotbar User Agent"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"zb-hb-"; within:150; pcre:"/User-Agent\:[^\n]+zb-hb-/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003223; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zango_Hotbar; sid:2003223; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Zango-Hotbar User Agent (zbu-hb-)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"zbu-hb-"; within:150; pcre:"/User-Agent\:[^\n]+zbu-hb-/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003305; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zango_Hotbar; sid:2003305; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spamblockerutility.com-Hotbar User Agent (sbu-hb-)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"sbu-hb-"; within:150; pcre:"/User-Agent\:[^\n]+sbu-hb-/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003363; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zango_Hotbar; sid:2003363; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar )"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"ZangoToolbar"; within:150; pcre:"/User-Agent\:[^\n]+ZangoToolbar\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003365; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zango_Hotbar; sid:2003365; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Hotbar Tools Spyware User Agent (hbtools)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"hbtools "; within:150; pcre:"/User-Agent\:[^\n]+hbtools \d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003383; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zango_Hotbar; sid:2003383; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS 180 Solutions (Zango Installer) User Agent"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"SAIv"; within:150; pcre:"/User-Agent\:[^\n]+SAIv/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003062; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zango_Hotbar; sid:2003062; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar)"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"Seekmo"; within:150; pcre:"/User-Agent\:[^\n]+Seekmo/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003397; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zango_Hotbar; sid:2003397; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Zango Cash Spyware User Agent (ZC-Bridgev26)"; flow:established,to_server; content:"User-Agent\: ZC-Bridgev"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006780; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zango_Hotbar; sid:2006780; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Zango Cash Spyware User Agent (ZC XML-RPC C++ Client)"; flow:established,to_server; content:"User-Agent\: ZC XML-RPC"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006781; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zango_Hotbar; sid:2006781; rev:35;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Gator Agent Traffic"; flow: to_server,established; content:"User-Agent\:"; nocase; content:" Gator"; nocase; within:150; pcre:"/User-Agent\:[^\n]+Gator/i"; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000026; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zango_Hotbar; sid: 2000026; rev:33;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Wild Tangent Agent Activity"; flow: to_server,established; content:"User-Agent\:"; nocase; content:"WildTangent"; within:150; pcre:"/User-Agent\:[^\n]+Wildtangent/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001639; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zango_Hotbar; sid: 2001639; rev:26;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ZenoSearch Spyware User-Agent"; flow:to_server,established; content:"|0d 0a|User-Agent\: ["; pcre:"/User-Agent\: \[.*\][A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008279; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Zeno; sid:2008279; rev:6;) #by jack pepper alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ZmEu exploit scanner"; flow:established,to_server; content:"|0d 0a|User-Agent\: Made by ZmEu"; threshold: type limit, track by_src, seconds 180, count 1; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ZmEu; sid:2010715; rev:2;) #by Jerry at cybercave alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (asp2009)"; flow: established, to_server; content:"|0d 0a|User-Agent\: asp2009|0d 0a|"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=6cad864a439da7bbd6f1cec941cca72b; reference:url,doc.emergingthreats.net/2010136; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_asp2009; sid:2010136; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS iWon Spyware (iWonSearchAssistant)"; flow:to_server,established; content:"User-Agent\: iWonSearch"; reference:url,www.spywareguide.com/product_show.php?id=461; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002169; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_iWon; sid:2002169; rev:11;) #by Mike Cox alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (iexplore)"; flow:established,to_server; content:"|0d 0a|User-Agent\: iexplore|0d 0a|"; nocase; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000466; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_iexplore; sid:2000466; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)"; flow:established,to_server; content:"|0d 0a|User-Agent\: iWin "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008558; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_iwin; sid:2008558; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Download UBAgent User Agent - lop.com and other spyware"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"Download UBAgent"; within:150; pcre:"/User-Agent\:[^\n]+Download UBAgent/i"; classtype:trojan-activity; reference:url,www.spywareinfo.com/articles/lop/; reference:url,doc.emergingthreats.net/2003345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_lop; sid:2003345; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ZCOM"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_zcom; sid:2008503; rev:4;)