[Emerging-Sigs] sid:2008187; rev:6;

Victor Julien lists at inliniac.net
Fri Oct 14 08:06:38 EDT 2011


I think Paros/ is likely more unique than |0d 0a|User-Agent|3a|? Might
be good to add fast_pattern to content:"Paros/";. Suricata will select
the longer content otherwise, Snort probably as well.

Suricata sig:
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
Paros Proxy Scanner Detected"; flow:to_server,established; content:"|0d
0a|User-Agent|3a|"; content:"Paros/"; fast_pattern; distance:0;
within:150; pcre:"/User-Agent\:[^\n]+Paros\//";
reference:url,www.parosproxy.org;
reference:url,doc.emergingthreats.net/2008187;
classtype:attempted-recon; sid:2008187; rev:6;)

Btw, this could also be in http_header, no?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------



More information about the Emerging-sigs mailing list