""ET INFO Suspicious Empty User-Agent""

SID: 2007994

Revision: 22

Class Type: unknown

Metadata: affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2022_12_28

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: to_server,established

Contents:

  • Value: "User-Agent|3a 20 0d 0a|"

  • Value: !".mcafee.com"

  • Value: !"deezer.com|0d 0a|"

  • Value: !"googlezip.net"

  • Value: !"metrics.tbliab.net|0d 0a|"

  • Value: !"dajax.com|0d 0a|"

  • Value: !"update.eset.com|0d 0a|"

  • Value: !".sketchup.com|0d 0a|"

  • Value: !".yieldmo.com|0d 0a|"

  • Value: !"ping-start.com|0d 0a|"

  • Value: !".bluekai.com"

  • Value: !".stockstracker.com"

  • Value: !".doubleclick.net"

  • Value: !".pingstart.com"

  • Value: !".colis-logistique.com"

  • Value: !"android-lrcresource.wps.com"

  • Value: !"track.package-buddy.com"

  • Value: !"talkgadget.google.com"

  • Value: !".visualstudio.com|0d 0a|"

  • Value: !".slack-edge.com|0d 0a|"

  • Value: !".slack.com|0d 0a|"

  • Value: !".lifesizecloud.com|0d 0a|"

  • Value: !"connectivitycheck.gstatic.com|0d 0a|"

Within:

PCRE:

Special Options:

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

  • http_header

source