[Emerging-Sigs] duplicates rules

Russell Fulton r.fulton at auckland.ac.nz
Tue Sep 23 18:51:27 EDT 2014

These versions are from the wiki.

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN JCE Joomla Scanner"; flow:established,to_server; content:"User-Agent|3a| BOT/0.1 (BOT for JCE)"; http_header; classtype:web-application-attack; sid:2016032; rev:3;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN JCE Joomla Extension User-Agent (BOT)"; flow:to_server,established; content:"User-Agent|3a| BOT/0.1 (BOT for JCE)|0d 0a|"; http_header; reference:url,exploit-db.com/exploits/17734/; reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html; classtype:attempted-recon; sid:2018327; rev:2;)

More information about the Emerging-sigs mailing list