Snort mailing list archives

Re: Proposed Rules for Acunetix Scanner

From: lists () packetmail net
Date: Wed, 28 Dec 2016 10:58:43 -0600

In hindsight, classtype:web-application-attack; may make more sense.

On 12/28/16 10:47, lists () packetmail net wrote:

I did not see similar in the VRT ruleset and wanted to propose the following for
inclusion into the VRT COMMUNITY ruleset.  I am unable to share a PCAP due to
confidentiality, however, these should match:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY
Acunetix scan in progress acunetix_wvs_security_test in http_uri";
flow:established,to_server; content:"acunetix_wvs_security_test"; http_uri;
fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src;
reference:url,www.acunetix.com/; classtype:attempted-recon; sid:X; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY
Acunetix scan in progress acunetix variable in http_uri";
flow:established,to_server; content:"|24|acunetix"; http_uri; fast_pattern:only;
threshold: type limit, count 1, seconds 60, track by_src;
reference:url,www.acunetix.com/; classtype:attempted-recon; sid:X; rev:1;)




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Proposed Rules for Acunetix Scanner lists (Dec 28)
- Re: Proposed Rules for Acunetix Scanner lists (Dec 28)