Snort mailing list archives

Re: Detecting w3af scans

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 30 Sep 2015 12:35:35 -0600

On 2015-09-30 11:48 AM, Bruno Pepper wrote:

Thanks Albert in advance.

figured - "apt-get install snort" thats why the older version.

Snort Version:
Version 2.9.6.0 GRE (Build 47)

Snort Command:
snort -d -i eth0 -A console -c /etc/snort/snort.conf -l
/var/log/snort/

Prospect signature:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN
w3af User Agent"; flow: established,to_server;
content:"User-Agent|3a| w3af.sourceforge.net [7]"; http_header;
fast_pattern:only; reference:url,w3af.sourceforge.net [7];
reference:url,doc.emergingthreats.net/2007757 [1];
classtype:attempted-recon; sid:2007757; rev:12;)

Attached the PCAP and snort.conf

All the help, much appreciated.

Bruno

On Wed, Sep 30, 2015 at 9:35 PM, Al Lewis (allewi) <allewi () cisco com>
wrote:

Any reason why you aren't using the latest snort version (2.9.7.5)?
2.9.6 is pretty outdated.

Do you have a conf and pcap you can share that isn't working?

Thanks!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

-----Original Message-----
From: Bruno PEPPER [mailto:laplum3n0ir () gmail com]
Sent: Wednesday, September 30, 2015 11:45 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Detecting w3af scans
Importance: High

Hi,

I am running snort (2.9.6.0 GRE (Build 47)) on ubuntu 14.04 in the
IDS mode along with ET rules for 2.9

The snort command:
snort -d -i eth1 -c /etc/snort/snort.conf -l /var/log/snort -A
console

Emergingrules:
sid-msg.map:2007757 || ET SCAN w3af User Agent ||
url,doc.emergingthreats.net/2007757 [1] || url,w3af.sourceforge.net
[2]
sid-msg.map:2011027 || ET SCAN w3af Scan In Progress ARGENTINA Req
Method || url,doc.emergingthreats.net/2011027 [3] ||
url,w3af.sourceforge.net [2]
sid-msg.map:2011389 || ET SCAN w3af Scan Remote File Include
Retrieval || url,w3af.sourceforge.net [2]

Still unable to detect these scans, infact this seems to be the
case with a standard SQLMap as well.

Any / all help is welcome :)

Bruno.


Your source and destination are in the same netblock...change 
"$EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS" to "any any -> any any" 
for testing.  Also add -k to your command line to nuke checksums.

James


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Detecting w3af scans Bruno PEPPER (Sep 30)
- Re: Detecting w3af scans Al Lewis (allewi) (Sep 30)
  - Re: Detecting w3af scans Bruno Pepper (Sep 30)
    - Re: Detecting w3af scans James Lay (Sep 30)
- Re: Detecting w3af scans waldo kitty (Sep 30)