[Emerging-Sigs] Medusa UA sig

Will Metcalf william.metcalf at gmail.com
Fri Oct 29 18:34:00 EDT 2010


Thoughts?

snort-2.8.6/snort-2.9.0
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
Medusa User-Agent"; flow: established,to_server;
content:"User-Agent|3A| Teh Forest Lobster"; fast_pattern:10,20;
nocase; http_header; threshold: type limit, track by_src,count 1,
seconds 60; classtype: attempted-recon;
reference:url,www.foofus.net/~jmk/medusa/medusa.html; sid:yyyyyy;
rev:1;)

snort-2.8.4/suricata
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
Medusa User-Agent"; flow: established,to_server;
content:"User-Agent|3A| Teh Forest Lobster"; nocase; http_header;
threshold: type limit, track by_src,count 1, seconds 60; classtype:
attempted-recon; reference:url,www.foofus.net/~jmk/medusa/medusa.html;
sid:yyyy; rev:1;)

snort 2.4.5
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
Medusa User-Agent"; flow: established,to_server;
content:"User-Agent|3A| Teh Forest Lobster"; depth:300; threshold:
type limit, track by_src,count 1, seconds 60; classtype:
attempted-recon; reference:url,www.foofus.net/~jmk/medusa/medusa.html;
sid:yyyyy; rev:1;)

Regards,

Will


More information about the Emerging-sigs mailing list