Malware User Agent

Detects suspicious user agent strings used by malware in proxy logs

Rule Content

- title: Malware User Agent
  id: 5c84856b-55a5-45f1-826f-13f37250cf4e
  status: experimental
  description: Detects suspicious user agent strings used by malware in proxy logs
  references:
  - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
  - http://www.botopedia.org/search?searchword=scan&searchphrase=all
  - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
  - https://perishablepress.com/blacklist/ua-2013.txt
  - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
  author: Florian Roth
  logsource:
    category: proxy
    product: null
    service: null
  detection:
    selection:
      c-useragent:
      - Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0
      - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
      - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
      - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)
      - HttpBrowser/1.0
      - '*<|>*'
      - nsis_inetc (mozilla)
      - Wget/1.9+cvs-stable (Red Hat modified)
      - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)
      - '*zeroup*'
      - Mozilla/5.0 (Windows NT 5.1 ; v.*
      - '* adlib/*'
      - '* tiny'
      - '* BGroom *'
      - '* changhuatong'
      - '* CholTBAgent'
      - Mozilla/5.0 WinInet
      - RookIE/1.0
      - M
      - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
      - Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)
      - backdoorbot
      - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401
        Firefox/3.6.1 (.NET CLR 3.5.30731)
      - Opera/8.81 (Windows NT 6.0; U; en)
      - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401
        Firefox/3.6.1 (.NET CLR 3.5.30729)
      - Opera
      - Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
      - Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
      - MSIE
      - '*(Charon; Inferno)'
      - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
      - Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)
      - Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)
      - Mozilla/5.0 (Windows NT 10.0; Win64; x64)
      - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
      - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)
      - '* pxyscand*'
      - '* asd'
      - '* mdms'
      - sample
      - nocase
      - Moxilla
      - Win32 *
      - '*Microsoft Internet Explorer*'
      - agent *
      - AutoIt
      - IczelionDownLoad
    condition: selection
  fields:
  - ClientIP
  - c-uri
  - c-useragent
  falsepositives:
  - Unknown
  level: high

Querying Elasticsearch

Import Libraries


In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client


In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query


In [ ]:
s = searchContext.query('query_string', query='c-useragent.keyword:(Mozilla\/5.0\ \(Windows\ NT\ 6.1;\ WOW64;\ rv\:53.0\)\ Gecko\/20100101\ Chrome\ \/53.0 OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 5.1\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 7.0;\ Windows\ NT\ 5.1;\ Trident\/4.0\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.0;\ Windows\ NT\ 5.0;\ .NET\ CLR\ \ 1.1.4322\) OR HttpBrowser\/1.0 OR *|* OR nsis_inetc\ \(mozilla\) OR Wget\/1.9\+cvs\-stable\ \(Red\ Hat\ modified\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.1;\ Trident\/4.0;\ .NET\ CLR\ 1.1.4322\) OR *zeroup* OR Mozilla\/5.0\ \(Windows\ NT\ 5.1\ ;\ v.* OR *\ adlib\/* OR *\ tiny OR *\ BGroom\ * OR *\ changhuatong OR *\ CholTBAgent OR Mozilla\/5.0\ WinInet OR RookIE\/1.0 OR M OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 5.1;\ Trident\/4.0\) OR Mozilla\/4.0\ \(compatible;MSIE\ 7.0;Windows\ NT\ 6.0\) OR backdoorbot OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ en\-US;\ rv\:1.9.2.3\)\ Gecko\/20100401\ Firefox\/3.6.1\ \(.NET\ CLR\ 3.5.30731\) OR Opera\/8.81\ \(Windows\ NT\ 6.0;\ U;\ en\) OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ en\-US;\ rv\:1.9.2.3\)\ Gecko\/20100401\ Firefox\/3.6.1\ \(.NET\ CLR\ 3.5.30729\) OR Opera OR Mozilla\/4.0\ \(compatible;\ MSIE\ 5.0;\ Windows\ 98\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 5.01;\ Windows\ NT\ 5.0\) OR MSIE OR *\(Charon;\ Inferno\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 5.1;\ Trident\/5.0\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.1;\ Windows\ NT\) OR Mozilla\/4.0\(compatible;\ MSIE\ 6.0;\ Windows\ NT\ 5.1\) OR Mozilla\/5.0\ \(Windows\ NT\ 10.0;\ Win64;\ x64\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 10.0;\ Win64;\ x64\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.1;\ Win64;\ x64\) OR *\ pxyscand* OR *\ asd OR *\ mdms OR sample OR nocase OR Moxilla OR Win32\ * OR *Microsoft\ Internet\ Explorer* OR agent\ * OR AutoIt OR IczelionDownLoad)')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results


In [ ]:
df.head()