Snort mailing list archives
Re: Proposed Rules for Acunetix Scanner
From: Joshua Williams <joshuwi2 () sourcefire com>
Date: Tue, 3 Jan 2017 15:39:54 -0500
Nathan, Thanks for the submission. Sorry for the delay, I've been out of the office for a little bit. I'll review these and get back to you once they've finished testing. -- Josh Williams Detection Response Team TALOS Security Group On Wed, Dec 28, 2016 at 11:58 AM, <lists () packetmail net> wrote:
In hindsight, classtype:web-application-attack; may make more sense. On 12/28/16 10:47, lists () packetmail net wrote:I did not see similar in the VRT ruleset and wanted to propose thefollowing forinclusion into the VRT COMMUNITY ruleset. I am unable to share a PCAPdue toconfidentiality, however, these should match: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY Acunetix scan in progress acunetix_wvs_security_test in http_uri"; flow:established,to_server; content:"acunetix_wvs_security_test";http_uri;fast_pattern:only; threshold: type limit, count 1, seconds 60, trackby_src;reference:url,www.acunetix.com/; classtype:attempted-recon; sid:X;rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY Acunetix scan in progress acunetix variable in http_uri"; flow:established,to_server; content:"|24|acunetix"; http_uri;fast_pattern:only;threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/; classtype:attempted-recon; sid:X;rev:1;)------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Re: Proposed Rules for Acunetix Scanner Joshua Williams (Jan 03)
- Re: Proposed Rules for Acunetix Scanner lists (Jan 03)
- <Possible follow-ups>
- Re: Proposed Rules for Acunetix Scanner lists (Jan 06)
- Re: Proposed Rules for Acunetix Scanner Joel Esler (jesler) (Jan 08)
- Re: Proposed Rules for Acunetix Scanner Joshua Williams (Jan 10)
- Re: Proposed Rules for Acunetix Scanner Joel Esler (jesler) (Jan 08)