Rule: 

--
Sid: 
18348

-- 
Summary: 
This event is generated when a system generates an HTTP request that contains a known-malicious User-Agent string.

-- 
Impact: 
The system generating the requests with the User-Agent string in question likely infected with malware, or may have been exposed to malicious code.

--
Detailed Information:
The Sourcefire VRT maintains a set of User-Agent strings from HTTP requests generated by malware-infected machines with no human interaction; all traffic from the machines is known to be generated by malware. After applying an extensive whitelist, the VRT pulls out the most common User-Agent strings and adds them to its blacklist.rules category. The supplied reference lists the md5sum of the piece of malware used to infect the machine that generated the traffic in question.

--
Affected Systems:
All Windows versions

--
Attack Scenarios: 
This alert is likely generated by malware communicating with the Internet in the background on an infected machine.

-- 
Ease of Attack: 
Easy; the machine is likely already infected.

-- 
False Positives:
Occasionally the VRT's whitelisting process may miss a legitimate User-Agent string. If you feel that User-Agent string here is legitimate, please notify us at fp@sourcefire.com so we can investigate.

--
False Negatives:
None Known

-- 
Corrective Action: 
Scan the machine in question for malicious software. The VRT recommends ClamAV for Windows 3.0.

--
Contributors:
Sourcefire Vulnerability Research Team

-- 
Additional References:

http://labs.snort.org/docs/18348.html

--
