Snort mailing list archives
Re: Proposed Rules for Acunetix Scanner
From: lists () packetmail net
Date: Fri, 6 Jan 2017 13:52:48 -0600
Cool, no worries. Cheers guys. On 01/06/17 13:13, Joshua Williams wrote:
Nathan, Thanks for the submission. After careful consideration, we are going to hold off on using these rules. While the new rules would work, the 9 rules we already have in place already alert. We could technically add tons of different rules that detect Acunetix scanning, but at the end of the day the traffic is already triggering an alert. Thanks for letting us know! -- Josh Williams Detection Response Team TALOS Security Group On Tue, Jan 3, 2017 at 3:44 PM, <lists () packetmail net <mailto:lists () packetmail net>> wrote: No worries, Happy GNU Year ;) On 01/03/17 14:39, Joshua Williams wrote: > Nathan, > > Thanks for the submission. Sorry for the delay, I've been out of the office for > a little bit. I'll review these and get back to you once they've finished testing. > > -- > Josh Williams > Detection Response Team > TALOS Security Group > > On Wed, Dec 28, 2016 at 11:58 AM, <lists () packetmail net <mailto:lists () packetmail net> > <mailto:lists () packetmail net <mailto:lists () packetmail net>>> wrote: > > In hindsight, classtype:web-application-attack; may make more sense. > > On 12/28/16 10:47, lists () packetmail net <mailto:lists () packetmail net> <mailto:lists () packetmail net <mailto:lists () packetmail net>> wrote: > > I did not see similar in the VRT ruleset and wanted to propose the following for > > inclusion into the VRT COMMUNITY ruleset. I am unable to share a PCAP due to > > confidentiality, however, these should match: > > > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY > > Acunetix scan in progress acunetix_wvs_security_test in http_uri"; > > flow:established,to_server; content:"acunetix_wvs_security_test"; http_uri; > > fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; > > reference:url,www.acunetix.com/ <http://www.acunetix.com/> <http://www.acunetix.com/>; classtype:attempted-recon; > sid:X; rev:1;) > > > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY > > Acunetix scan in progress acunetix variable in http_uri"; > > flow:established,to_server; content:"|24|acunetix"; http_uri; fast_pattern:only; > > threshold: type limit, count 1, seconds 60, track by_src; > > reference:url,www.acunetix.com/ <http://www.acunetix.com/> <http://www.acunetix.com/>; classtype:attempted-recon; > sid:X; rev:1;) > > > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Snort-sigs mailing list > Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> <mailto:Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net>> > https://lists.sourceforge.net/lists/listinfo/snort-sigs <https://lists.sourceforge.net/lists/listinfo/snort-sigs> > <https://lists.sourceforge.net/lists/listinfo/snort-sigs <https://lists.sourceforge.net/lists/listinfo/snort-sigs>> > > http://www.snort.org > > Please visit http://blog.snort.org for the latest news about Snort! > > Visit the Snort.org to subscribe to the official Snort ruleset, make sure to > stay up to date to catch the most <a href=" > https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads> > <https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>>">emerging threats</a>! > >
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Re: Proposed Rules for Acunetix Scanner Joshua Williams (Jan 03)
- Re: Proposed Rules for Acunetix Scanner lists (Jan 03)
- <Possible follow-ups>
- Re: Proposed Rules for Acunetix Scanner lists (Jan 06)
- Re: Proposed Rules for Acunetix Scanner Joel Esler (jesler) (Jan 08)
- Re: Proposed Rules for Acunetix Scanner Joshua Williams (Jan 10)
- Re: Proposed Rules for Acunetix Scanner Joel Esler (jesler) (Jan 08)