[Emerging-Sigs] sid:2008187; rev:6;

rmkml rmkml at free.fr
Fri Oct 14 08:56:59 EDT 2011


thx Victor,
Matt: please adding http_header on sid 2011704, 2011275, 
2003631, 2009837, 2003749, 2008073, 2010906, 2010889, 2009516, 2008328, 
2010290, 2008848, 2003432, 2003433, 2008174, 2010262, 100000168, 2011576, 
2011816, 2012136, 2012251, 2012278, 2012384, 2012607, 2012619, 2012627, 
2012689, 2013076, 2013446.
Regards
Rmkml


On Fri, 14 Oct 2011, Victor Julien wrote:

> I think Paros/ is likely more unique than |0d 0a|User-Agent|3a|? Might
> be good to add fast_pattern to content:"Paros/";. Suricata will select
> the longer content otherwise, Snort probably as well.
>
> Suricata sig:
> alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
> Paros Proxy Scanner Detected"; flow:to_server,established; content:"|0d
> 0a|User-Agent|3a|"; content:"Paros/"; fast_pattern; distance:0;
> within:150; pcre:"/User-Agent\:[^\n]+Paros\//";
> reference:url,www.parosproxy.org;
> reference:url,doc.emergingthreats.net/2008187;
> classtype:attempted-recon; sid:2008187; rev:6;)
>
> Btw, this could also be in http_header, no?
>
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>


More information about the Emerging-sigs mailing list