Home | About Us | FAQ | Signature Downloads | All Projects | Submit a Signature | Mailing Lists | Feeds | Open Job Board | Sponsors | Documentation

  • RSS Latest Docs

    • 2003394
    • SnortConfSamples
    • FastFluxDNSResponseDetection
    • 2007634
    • DilipPatel
    • TestTest123
    • 2003642
    • 2007588
    • 2007688
    • 2007706

  • RSS Latest Sigs

    • VIRUS/TROJAN_PRG
    • VIRUS/TROJAN_Win32.Pakes
    • current-sids.txt
    • CURRENT_EVENTS/CURRENT_WPAD
    • current-sids.txt
    • CURRENT_EVENTS/CURRENT_WPAD
    • current-sids.txt
    • WEB/WEB_Neosploit
    • current-sids.txt
    • VIRUS/TROJAN_Win32.Pakes

  • Recent Comments

    • Buck on Guard.zip Phish, Very targeted, Sig Available
    • Lance on Guard.zip Phish, Very targeted, Sig Available
    • akgunk on Guard.zip Phish, Very targeted, Sig Available
    • Bill475382635','199440348billy@msn.com','','20.134.10.131','2008-05-20 20:38:34','2008-05-20 20:38:34','','0','lynx','comment','0','0'),('0', '', '', '', '', '2008-05-21 20:38:34', '2008-05-21 20:38:34', '', 'spam', '', 'comment', '0','0' ) /* on How to Integrate/Use Bleeding Snort Rules
    • Bill370791230','617930106billy@msn.com','','104.199.69.73','2008-05-20 20:03:22','2008-05-20 20:03:22','','0','lynx','comment','0','0'),('0', '', '', '', '', '2008-05-21 20:03:22', '2008-05-21 20:03:22', '', 'spam', '', 'comment', '0','0' ) /* on How to Integrate/Use Bleeding Snort Rules

  • Recent Posts

    • Rule & Firewall Updates Re-enabled
    • I’m Leaving Bleeding Threats!
    • Encrypted Storm Sigs
    • Windows 98 Snort Signature
    • E-Jihad Tool Sigs
    • « E-Jihad Tool Sigs
    Encrypted Storm Sigs »

    Windows 98 Snort Signature

    Win98 isn’t a security threat in itself… well mostly. But a LOT of spyware and downloaders still use old static User-Agent strings that identify them as Windows 98.

    So the following sig is out, it’s thresholded to keep the numbers down in case you run across Win98 boxes you weren’t aware of.

    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BLEEDING-EDGE POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System”; flow:established,to_server; content:”|0d 0a|User-Agent\: “; content:”Windows 98\;”; within:50; threshold:type limit, count 1, seconds 60, track by_src; classtype:policy-violation; reference:url.doc.bleedingthreats.net/bin/view/Main/Windows98UA; sid:2007695; rev:1;)

    Don’t run this sig if you KNOW you have Win98 boxes. If you do, best of luck….

    If you Don’t have Win98 boxes then any hits on this sig should be treated as extremely suspicious, likely spyware or a downloader.

    Matt

    This entry was posted on Tuesday, November 13th, 2007 at 2:29 am and is filed under New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    2 Responses to “Windows 98 Snort Signature”

    1. ryandgr Says:
      November 13th, 2007 at 1:32 pm

      Out of curiosity, I installed the signature on my IDS and came up with multiple clients trying to get out to this address: http://dellsupport.dellfix.com/new_dell_agent_am/gteko_01/status.txt. They are not running Windows 98 (looked at other traffic’s user agents via packet cap) so this strikes me as odd. The actual User-Agent is “Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; GtekClient)”. A quick Google has a number of hits on this, but I haven’t been able to determine its validity as of yet.

    2. jonkman Says:
      November 13th, 2007 at 1:54 pm

      Where was it going to?

    Leave a Reply

    You must be logged in to post a comment.

    Entries (RSS) and Comments (RSS)
    Copyright © 2007 Bleeding Edge Threats.
    All trademarks and copyrights on this page are owned by their respective owners. Snort® is a registered trademark of Sourcefire, Inc.