[Emerging-Sigs] SIG: ET SCAN Mascan User Agent Detected

Kevin Ross kevross33 at googlemail.com
Fri Sep 12 04:26:06 EDT 2014


Missed an S in masscan in the msg :)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Masscan
User Agent Detected"; flow:established,to_server; content:"User-Agent|3A|
masscan/"; http_header; fast_pattern:only; classtype:attempted-recon;
reference:url,
blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html;
reference:url,github.com/robertdavidgraham/masscan; sid:198331; rev:1;)

On 12 September 2014 09:25, Kevin Ross <kevross33 at googlemail.com> wrote:

> Saw this in real use. Might still be tied to research project though.Other
> interesting characteristic is lack of Host header.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Mascan
> User Agent Detected"; flow:established,to_server; content:"User-Agent|3A|
> masscan/"; http_header; fast_pattern:only; classtype:attempted-recon;
> reference:url,
> blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html;
> reference:url,github.com/robertdavidgraham/masscan; sid:198331; rev:1;)
>
>
> Kind Regards,
> Kevin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140912/685b1a58/attachment.html>


More information about the Emerging-sigs mailing list