ShodanHQ Rule

[Geoff Serrao <geoff.serrao () gmail com>]

While browsing Shodanhq.com I wondered if shodan sent along the http
"Referer" header when clicking on search result links.

Sure enough, shodan passes along the http referer with the client request:

Referer: http://www.shodanhq.com/search?q=vulnerable-software

Shodanhq only indexes services listening on the following ports, so only
dest port 80 is necessary.

HTTP (80) FTP (21) SSH (22) SNMP (161) SIP (5060)

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"RECON HTTP Request with
ShodanHQ.com/search?q= in HTTP Referer header."; \
flow:established, to_server; \
content:"Referer: http://www.shodanhq.com/search?q=";, http_header; \
reference: url, http://www.shodanhq.com/search?q=vulnerable-software;
classtype: attempted-recon;)

I don't know how practical this rule is, but It would be interesting to see
if any sysadmins were to implement this rule and learn if they are listed
somewhere on shodan.

Pages increment like this:
http://www.shodanhq.com/search?q=linksys&page=2so we should be good
with that content match.

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!