[Emerging-Sigs] SIG: ET SCAN Mascan User Agent Detected

Darien Huss dhuss at emergingthreats.net
Fri Sep 12 09:40:19 EDT 2014


Thanks Kevin,

This is covered by 2017615 & 2017616.

Regards,
Darien

On Fri, Sep 12, 2014 at 4:27 AM, Kevin Ross <kevross33 at googlemail.com>
wrote:

> And direction...(this is why writing sigs first thing in morning when
> tired sometimes not a good idea lol)
>
>
> alert tcp $EXTERNAL_NET_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
> Mascan User Agent Detected"; flow:established,to_server;
> content:"User-Agent|3A| masscan/"; http_header; fast_pattern:only;
> classtype:attempted-recon; reference:url,
> blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html;
> reference:url,github.com/robertdavidgraham/masscan; sid:198331; rev:1;)
>
> On 12 September 2014 09:26, Kevin Ross <kevross33 at googlemail.com> wrote:
>
>>
>> Missed an S in masscan in the msg :)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN
>> Masscan User Agent Detected"; flow:established,to_server;
>> content:"User-Agent|3A| masscan/"; http_header; fast_pattern:only;
>> classtype:attempted-recon; reference:url,
>> blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html;
>> reference:url,github.com/robertdavidgraham/masscan; sid:198331; rev:1;)
>>
>> On 12 September 2014 09:25, Kevin Ross <kevross33 at googlemail.com> wrote:
>>
>>> Saw this in real use. Might still be tied to research project
>>> though.Other interesting characteristic is lack of Host header.
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN
>>> Mascan User Agent Detected"; flow:established,to_server;
>>> content:"User-Agent|3A| masscan/"; http_header; fast_pattern:only;
>>> classtype:attempted-recon; reference:url,
>>> blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html;
>>> reference:url,github.com/robertdavidgraham/masscan; sid:198331; rev:1;)
>>>
>>>
>>> Kind Regards,
>>> Kevin
>>>
>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140912/1858d173/attachment.html>


More information about the Emerging-sigs mailing list