[Emerging-Sigs] SIG: ET SCAN Mascan User Agent Detected

Kevin Ross kevross33 at googlemail.com
Fri Sep 12 04:25:26 EDT 2014


Saw this in real use. Might still be tied to research project though.Other
interesting characteristic is lack of Host header.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Mascan
User Agent Detected"; flow:established,to_server; content:"User-Agent|3A|
masscan/"; http_header; fast_pattern:only; classtype:attempted-recon;
reference:url,
blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html;
reference:url,github.com/robertdavidgraham/masscan; sid:198331; rev:1;)


Kind Regards,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140912/eb7b5688/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Scan.png
Type: image/png
Size: 11903 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140912/eb7b5688/attachment-0001.png>


More information about the Emerging-sigs mailing list