<![CDATA[Snort ET MALWARE User-Agent (Internet Explorer)]]>:( i have alot of this alret in snort  SID 1:2008052

ET MALWARE User-Agent (Internet Explorer) on wan with no clue on lan

]]>https://forum.netgate.com/topic/76613/snort-et-malware-user-agent-internet-explorerRSS for NodeThu, 14 May 2026 01:30:59 GMTFri, 05 Dec 2014 18:33:17 GMT60<![CDATA[Reply to Snort ET MALWARE User-Agent (Internet Explorer) on Sat, 06 Dec 2014 02:15:10 GMT]]>Oh nevermind, maybe they are not realted after all… when i saw IE User-Agent thought it was the CVE-2014-6332...

Still... packet capture some of those and we will check if its FP or what it is...

F.

]]>https://forum.netgate.com/post/499677https://forum.netgate.com/post/499677Sat, 06 Dec 2014 02:15:10 GMT<![CDATA[Reply to Snort ET MALWARE User-Agent (Internet Explorer) on Sat, 06 Dec 2014 02:06:37 GMT]]>CVE-2014-6332 is pretty big right now, and for a vulnerability that affects ALL Internet Explorer, be sure there will be many exploits out there….

https://isc.sans.edu/forums/diary/How+bad+is+the+SCHANNEL+vulnerability+CVE-2014-6321+patched+in+MS14-066/18947/

https://github.com/rapid7/metasploit-framework/pull/4255

There are a couple of ET CURRENT EVENT rules covering those vulnerabilities...might want to run them on all interfaces

Otherwise sniff the traffic with packet capture and lets see whats in those packets.

F.

]]>https://forum.netgate.com/post/499676https://forum.netgate.com/post/499676Sat, 06 Dec 2014 02:06:37 GMT