Re: ShodanHQ Rule

[Geoffrey Serrao <gserrao () sourcefire com>]

The intent is to trigger an alert when a potential attacker visits your
webserver which he/she found using the shodanhq search engine.

I'm not sure if the rule is totally 100% practical. But thought I'd share
anyway.


On Tue, Oct 22, 2013 at 5:07 PM, Joel Esler <jesler () sourcefire com> wrote:

> Geoff,
>
> I’m confused about what you are trying to detect.  Are you trying to
> detect Shodan indexing the services on *your* network?  Is that the
> intent of the rule?
>
>
> On Oct 22, 2013, at 4:50 PM, Geoff Serrao <geoff.serrao () gmail com> wrote:
>
> While browsing Shodanhq.com I wondered if shodan sent along the http
> "Referer" header when clicking on search result links.
>
> Sure enough, shodan passes along the http referer with the client request:
>
> Referer: http://www.shodanhq.com/search?q=vulnerable-software
>
> Shodanhq only indexes services listening on the following ports, so only
> dest port 80 is necessary.
>
> HTTP (80) FTP (21) SSH (22) SNMP (161) SIP (5060)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"RECON HTTP Request with
> ShodanHQ.com/search?q= in HTTP Referer header."; \
> flow:established, to_server; \
> content:"Referer: http://www.shodanhq.com/search?q=";, http_header; \
> reference: url, http://www.shodanhq.com/search?q=vulnerable-software;
> classtype: attempted-recon;)
>
> I don't know how practical this rule is, but It would be interesting to
> see if any sysadmins were to implement this rule and learn if they are
> listed somewhere on shodan.
>
> Pages increment like this: http://www.shodanhq.com/search?q=linksys&page=2so we should be good with that content 
> match.
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
>
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk_______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Geoffrey J. Serrao
SOURCEfire Technical Support
My office hours are 10:00 AM to 7:00 PM Eastern time, Monday - Friday. If
you need assistance outside of these hours, please contact
support () sourcefire com and another engineer will respond.

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!