[Emerging-Sigs] sid:2008187; rev:6;

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 19 12:01:02 EDT 2011


Changes done up, made all platforms and engines more efficient.

Thanks!

Matt


On Oct 14, 2011, at 8:06 AM, Victor Julien wrote:

> I think Paros/ is likely more unique than |0d 0a|User-Agent|3a|? Might
> be good to add fast_pattern to content:"Paros/";. Suricata will select
> the longer content otherwise, Snort probably as well.
> 
> Suricata sig:
> alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
> Paros Proxy Scanner Detected"; flow:to_server,established; content:"|0d
> 0a|User-Agent|3a|"; content:"Paros/"; fast_pattern; distance:0;
> within:150; pcre:"/User-Agent\:[^\n]+Paros\//";
> reference:url,www.parosproxy.org;
> reference:url,doc.emergingthreats.net/2008187;
> classtype:attempted-recon; sid:2008187; rev:6;)
> 
> Btw, this could also be in http_header, no?
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list