File: zscaler.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (117 lines) | stat: -rw-r--r-- 34,138 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# Sagan zscaler.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************

# Sagan rules for Zscaler proxy. Currently mostly user-agent rules. 
# Added by W.E Restepo & Jennifer Shannon (2017/07/24)

# These rules only search for "allowed" traffic, not blocked traffic. Zscaler must send in CEF format.

alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known Malicious user agent - MSIE 9.0 in version 10 format"; content:"requestClientApplication|3d|MSIE 9.0|0D 0A|"; reference:url,www.virustotal.com/en/file/aaf9b99314eb5201407bc82ee948c0a3a1c6b0a3288e230bc03e4c2a2b4287e3/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003126; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious user-agent string - MSIE 7.0 na - Win.Trojan.Koobface"; content:"requestClientApplication|3d|Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| na|3B| )"; reference:url,www.virustotal.com/en/file/ef420005a10d73b840604b517c4760400ccfc6c5baba0ae5d05ec6f88e56821e/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003127; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor"; content:"requestClientApplication|3d|Downloader 1.8|0D 0A|"; reference:url,www.virustotal.com/en/file/0F45FB61856437CB3123C4DEAC68942C17ADC6534719E583F22E3DE1F31C1CA5/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003128; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious User-Agent string - HttpCall - Win.Trojan.Rukypee"; content:"requestClientApplication|3d|HttpCall"; reference:url,www.virustotal.com/en/file/74f22eced680ca26b767b4b07ba26b98536a385249d751586915b15b56509e0d/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003129; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious User-Agent string - MyProgramm - Win.Trojan.Rukypee"; content:"requestClientApplication|3d|MyProgramm"; reference:url,www.virustotal.com/en/file/74f22eced680ca26b767b4b07ba26b98536a385249d751586915b15b56509e0d/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003130; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious User-Agent string - Skypee - Win.Trojan.Rukypee"; content:"requestClientApplication|3d|Skypee"; reference:url,www.virustotal.com/en/file/74f22eced680ca26b767b4b07ba26b98536a385249d751586915b15b56509e0d/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003131; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicous user agent string - XAgent - Operation Pawn Storm"; content:"requestClientApplication|3d|XAgent"; reference:url,www.virustotal.com/en/file/7313eaf95a8a8b4c206b9afe306e7c0675a21999921a71a5a16456894571d21d/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003132; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious user-agent string crackim"; content:"requestClientApplication|3d|crackim"; reference:url,www.virustotal.com/en/file/27fa65a3166def75feb75f8feb25dd9784b8f2518c73defcc4ed3e9f46868e76/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003133; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Win.Trojan.Darkcpn outbound connection"; content:"requestClientApplication|3d|Mozilla/4.0+(compatible|3B|+MSIE+6.0|3B|+Windows+NT+5.1|3B|+SV1|3B|+.NET+CLR+2.0.50727)|0D 0A|"; reference:url,virustotal.com/file/cab7cd418b1114c277f84c4fe59d05bcf53babf64f16ebe86ab11641bd6bbd94/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003134; rev:1;)

# A lot of F/P 

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious User-Agent string - MyIE 3.01"; content:"requestClientApplication|3d|Mozilla/4.0 (compatible|3B| MSIE"; reference:url,virustotal.com/en/file/8553b945e2d4b9f45c438797d6b5e73cfe2899af1f9fd87593af4fd7fb51794a/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003135; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User Agent (agent)"; content:"requestClientApplication|3d|agent"; content:!".battle.net"; reference:url,doc.emergingthreats.net/bin/view/Main/2001891; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003136; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Drivecleaner.com Spyware User-Agent (DriveCleaner Updater)"; content:"requestClientApplication|3d|DriveCleaner Updater"; reference:url,www.drivecleaner.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=DriveCleaner&threatid=44533; reference:url,doc.emergingthreats.net/2003486; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003137; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master)"; content:"requestClientApplication|3d|WinFix Master"; nocase; reference:url,doc.emergingthreats.net/2003545; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003138; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Vaccineprogram.co.kr Related Spyware User-Agent (Museon)"; content:"requestClientApplication|3d|Museon"; reference:url,doc.emergingthreats.net/2006418; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003139; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Vaccineprogram.co.kr Related Spyware User Agent (pcsafe)"; content:"requestClientApplication|3d|pcsafe"; reference:url,doc.emergingthreats.net/2006420; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003140; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] klm123.com Spyware User Agent"; content:"requestClientApplication|3d|{"; content:!"directory.gladinet.com"; content:!"ff.avast.com|0d 0a|"; http_header; pcre:"/User-Agent\x3a \{[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\}/iH"; reference:url,doc.emergingthreats.net/2007616; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003141; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User Agent (_)"; content:"requestClientApplication|3d|_|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2007942; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003142; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Casino Related Spyware User-Agent Detected (Viper 4.0)"; content:"requestClientApplication|3d|Mozilla/5.0 (compatible, Viper 4.0)|0d 0a|"; reference:url,doc.emergingthreats.net/2008586; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003143; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User Agent (BlackSun)"; content:"requestClientApplication|3d|BlackSun"; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008983; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003144; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Win32.Tdss User Agent Detected (Mozzila)"; content:"requestClientApplication|3d|Mozzila"; http_header; reference:url,doc.emergingthreats.net/2010889; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003145; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User Agent (ScrapeBox)"; content:"requestClientApplication|3d|ScrapeBox"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003146; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Malware Related msndown"; content:"requestClientApplication|3d|msndown|0d 0a|"; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=17fdf0cb5970b71b81b1a5406e017ac1; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003147; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] W32/Goolbot.E Checkin UA Detected iamx"; content:"requestClientApplication|3d|iamx/"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003148; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious Win32 User Agent"; content:"requestClientApplication|3d|Win32"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003149; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent (Our_Agent)"; content:" Our_Agent"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003150; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] suspicious user-agent (REKOM)"; content:"GET"; content:"requestClientApplication|3d|REKOM"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003151; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent Moxilla"; content:"requestClientApplication|3d|Moxilla"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003152; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent VCTestClient"; content:"requestClientApplication|3d|VCTestClient"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003153; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent PrivacyInfoUpdate";  content:"requestClientApplication|3d|PrivacyInfoUpdate"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003154; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent (VMozilla)"; content:"requestClientApplication|3d|VMozilla"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fNeeris.BF; reference:url,www.avira.com/en/support-threats-description/tid/6259/tlang/en; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003155; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent Sample"; content:"requestClientApplication|3d|sample"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003156; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent Mozilla/3.0"; content:"requestClientApplication|3d|Mozilla/3.0|0d 0a|"; parse_src_ip: 1; parse_dst_ip: 2; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003157; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Optimum Installer User-Agent IE6 on Windows XP";  content:"requestClientApplication|3d|IE6 on Windows XP"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003158; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] suspicious User Agent (Lotto)"; content:"requestClientApplication|3d|Lotto"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003159; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent String (AskPartnerCobranding)"; content:"requestClientApplication|3d|AskPartner"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003160; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Backdoor.Win32.Vertexbot.A User-Agent (VERTEXNET)"; content:"requestClientApplication|3d|VERTEXNET"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003161; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] suspicious user agent string (changhuatong)"; content:"requestClientApplication|3d|changhuatong|0d 0a|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003162; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] suspicious user agent string (CholTBAgent)"; content:"requestClientApplication|3d|CholTBAgent"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003163; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious user agent (mdms)"; content:"GET"; content:"requestClientApplication|3d|mdms|0d 0a|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003164; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious user agent (asd)"; content:"GET"; content:"requestClientApplication|3d|asd|0d 0a|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003165; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent SimpleClient 1.0"; content:"requestClientApplication|3d|SimpleClient "; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:bad-unknown; sid:5003166; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Known Skunkx DDOS Bot User-Agent Cyberdog"; content:"requestClientApplication|3d|Cyberdog"; reference:url,asert.arbornetworks.com/2011/03/skunkx-ddos-bot-analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003167; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZSCALER] EmailSiphon Suspicious User-Agent Inbound"; ; content:"requestClientApplication|3d|EmailSiphon"; reference:url,www.useragentstring.com/pages/useragentstring.php; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003168; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] EmailSiphon Suspicious User-Agent Outbound"; content:"requestClientApplication|3d|EmailSiphon"; reference:url,www.useragentstring.com/pages/useragentstring.php; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003169; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Binget PHP Library User Agent Outbound"; content:"requestClientApplication|3d|Binget/"; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003170; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] pxyscand/ Suspicious User Agent Outbound"; content:"requestClientApplication|3d|pxyscand/"; reference:url,www.useragentstring.com/pages/useragentstring.php; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003171; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] PyCurl Suspicious User Agent Outbound"; content:"requestClientApplication|3d|PyCurl"; reference:url,www.useragentstring.com/pages/useragentstring.php; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003172; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZSCALER] Atomic_Email_Hunter User-Agent Inbound"; content:"requestClientApplication|3d|Atomic_Email_Hunter/"; reference:url,www.useragentstring.com/pages/useragentstring.php; fwsam: src, 1 day; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003173; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Atomic_Email_Hunter User-Agent Outbound"; content:"requestClientApplication|3d|Atomic_Email_Hunter/"; reference:url,www.useragentstring.com/pages/useragentstring.php; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003174; rev:1;)

# This rule is to generic & generates many F/P

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Avzhan DDoS Bot User-Agent MyIE"; content:"requestClientApplication|3d|Mozilla"; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003175; rev:1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Win32/OnLineGames User-Agent (Revolution Win32)"; content:"requestClientApplication|3d|Revolution"; reference:url,threatexpert.com/report.aspx?md5=1431f4ab4bbe3ad1087eb14cf4d7dff9; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003176; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Trojan Downloader User-Agent BGroom"; content:"requestClientApplication|3d|BGroom"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003177; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Trojan Downloader User-Agent (Tiny)"; content:"requestClientApplication|3d|tiny|0D 0A|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003178; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent (adlib)"; content:! "econtrolsystems"; content:"requestClientApplication|3d|adlib/"; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003179; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] W32/Kazy User-Agent (Windows NT 5.1 \; v.) space infront of semi-colon"; flow:established,to_server; content:"requestClientApplication|3d|Mozilla/5.0|20 28|Windows NT 5.1|20 3B 20|v|2E|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003180; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] W32/Renos.Downloader User Agent zeroup"; content:"requestClientApplication|3d|zeroup"; reference:url,www.f-secure.com/v-descs/trojan_w32_renos_h.shtml; reference:md5,35ba53f6aeb6b38c1107018f271189af; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003181; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent (DownloadMR)"; content:"requestClientApplication|3d|DownloadMR"; nocase; reference:url,www.virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003182; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] User-Agent (ChilkatUpload)"; content:"requestClientApplication|3d|ChilkatUpload"; nocase; reference:url,chilkatsoft.com; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003183; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious user agent (Google page)"; content:"requestClientApplication|3d|Google page"; nocase; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003184; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZSCALER] FOCA User-Agent"; content:"requestClientApplication|3d|FOCA|0d 0a|"; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003185; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] MSF Meterpreter Default User Agent"; content:"requestClientApplication|3d|Mozilla/4.0 (compatible|3b 20|MSIE 6.1|3b 20|Windows NT|29 0d 0a|"; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:bad-unknown; sid:5003186; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] WildTangent User-Agent (WT Games App)"; content:"requestClientApplication|3d|WT|20|Games|20|App|20|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:policy-violation; sid:5003187; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZSCALER] BLEXBot User-Agent"; content:"requestClientApplication|3d|Mozilla/5.0 (compatible|3b| BLEXBot/"; threshold:type limit, track by_dst, count 1, seconds 300; reference:url,webmeup.com/about.html; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:misc-activity; sid:5003188; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Microsoft Edge on Windows 10 SET"; content:"requestClientApplication|3d|Windows NT 10."; distance:0; content:"Edge/12."; distance:0; fast_pattern; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:misc-activity; sid:5003189; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Fake Opera 8.11 UA related to Trojan Activity"; content:"requestClientApplication|3d|opera/8.11|0d 0a|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003190; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Gator Agent Traffic"; content:"requestClientApplication|3d|Gator"; reference:url,doc.emergingthreats.net/2000026; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:policy-violation; sid:5003191; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] ISearchTech.com XXXPornToolbar Activity (IST)";  content:"requestClientApplication|3d|IST"; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001493; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003192; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Better Internet Spyware User-Agent (poller)"; content:"requestClientApplication|3d|Poller"; reference:url,doc.emergingthreats.net/2002005; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003193; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] SideStep User-Agent"; content:"requestClientApplication|3d|SideStep"; reference:url,doc.emergingthreats.net/2002078; reference:url,github.com/chetan51/sidestep/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:misc-activity; sid:5003194; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] 180 Solutions (Zango Installer) User Agent"; content:"requestClientApplication|3d|SAIv"; reference:url,doc.emergingthreats.net/2003062; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003195; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent Fragment (WORKED)"; content:"requestClientApplication|3d|WORKED"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003196; rev:1;)


alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Detected known Malware Category"; content:!"cs4|3d|Clean Transaction"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003197; rev:1;)

# Mobile leakages is content! as triggers a lot 

alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Detected known Threat Name"; content:!"cs5|3d|None"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; content:!"Mobile Device information leakage"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003198; rev:1;)