Snort mailing list archives
Re: Proposed Rules for Acunetix Scanner
From: lists () packetmail net
Date: Tue, 3 Jan 2017 14:44:12 -0600
No worries, Happy GNU Year ;) On 01/03/17 14:39, Joshua Williams wrote:
Nathan, Thanks for the submission. Sorry for the delay, I've been out of the office for a little bit. I'll review these and get back to you once they've finished testing. -- Josh Williams Detection Response Team TALOS Security Group On Wed, Dec 28, 2016 at 11:58 AM, <lists () packetmail net <mailto:lists () packetmail net>> wrote: In hindsight, classtype:web-application-attack; may make more sense. On 12/28/16 10:47, lists () packetmail net <mailto:lists () packetmail net> wrote: > I did not see similar in the VRT ruleset and wanted to propose the following for > inclusion into the VRT COMMUNITY ruleset. I am unable to share a PCAP due to > confidentiality, however, these should match: > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY > Acunetix scan in progress acunetix_wvs_security_test in http_uri"; > flow:established,to_server; content:"acunetix_wvs_security_test"; http_uri; > fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; > reference:url,www.acunetix.com/ <http://www.acunetix.com/>; classtype:attempted-recon; sid:X; rev:1;) > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY > Acunetix scan in progress acunetix variable in http_uri"; > flow:established,to_server; content:"|24|acunetix"; http_uri; fast_pattern:only; > threshold: type limit, count 1, seconds 60, track by_src; > reference:url,www.acunetix.com/ <http://www.acunetix.com/>; classtype:attempted-recon; sid:X; rev:1;) > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs <https://lists.sourceforge.net/lists/listinfo/snort-sigs> http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Re: Proposed Rules for Acunetix Scanner Joshua Williams (Jan 03)
- Re: Proposed Rules for Acunetix Scanner lists (Jan 03)
- <Possible follow-ups>
- Re: Proposed Rules for Acunetix Scanner lists (Jan 06)
- Re: Proposed Rules for Acunetix Scanner Joel Esler (jesler) (Jan 08)
- Re: Proposed Rules for Acunetix Scanner Joshua Williams (Jan 10)
- Re: Proposed Rules for Acunetix Scanner Joel Esler (jesler) (Jan 08)