2010677 ET MALWARE Suspicious User-Agent (My Session)

segers · December 5, 2025, 1:46pm

Alerting on legitimate outbound traffic from Aquaveo software.

rgonzalez · December 5, 2025, 4:31pm

Hi @segers , thanks! Can you share some traffic for analysis?

segers · December 5, 2025, 6:37pm

Please see attached.

Thank you!

(attachments)

request_1764773371.pcap (1.59 KB)

trobinson667 · December 5, 2025, 6:47pm

Hello @segers ,

thanks for the pcap. I’ve modified 2010677 to include a negation for the http.host field ending in aquaveo.com. These changes should go live tonight, with our daily rule releases. Provided everything goes smoothly, the daily release is typically available for download after 6pm EST.

Download and install the new ruleset at your convenience, and let us know if you continue experiencing FPs with this rule.

Thanks and happy Friday,

-Tony Robinson

segers · December 5, 2025, 7:00pm

Thank very much!

Topic		Replies	Views
Ruleset Update Summary - 2024/03/04 - v10544 Ruleset Updates	0	563	March 4, 2024
Ruleset Update Summary - 2024/12/12 - v10799 Ruleset Updates	0	206	December 12, 2024
Ruleset Update Summary - 2025/10/06 - v11032 Ruleset Updates	0	50	October 6, 2025
Ruleset Update Summary - 2024/12/13 - v10802 Ruleset Updates	0	341	December 13, 2024
SIG: ET MALWARE Gamaredon TryCloudFlare Activity - Known Delimiter in User-Agent Rule Signatures	1	66	May 22, 2025

2010677 ET MALWARE Suspicious User-Agent (My Session)

Related topics