[Emerging-Sigs] Super Dupesville

Jason Williams jwilliams at emergingthreats.net
Tue Jun 16 11:17:50 HDT 2020


Thanks Francis!

Will make the directionality more clear in the rule msg in the push today
and move the PRO to OPEN.

On Tue, Jun 16, 2020 at 9:35 AM Francis Trudeau <trudeauf at gmail.com> wrote:

> alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Zmap User-Agent
> (zgrab)"; flow:established,to_server; content:"Mozilla/5.0 zgrab/0.x";
> http_user_agent; depth:21; isdataat:!1,relative; classtype:network-scan;
> sid:2029054; rev:1; metadata:created_at 2019_11_26, updated_at 2019_11_26;)
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO USER_AGENTS Zmap
> User-Agent (zgrab)"; flow:established,to_server; content:"Mozilla/5.0
> zgrab/0.x"; fast_pattern; http_user_agent; depth:21; isdataat:!1,relative;
> classtype:trojan-activity; sid:2815134; rev:3; metadata:created_at
> 2015_11_30, updated_at 2020_06_09;)
>
> They don't get much more identical than that.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200616/82ada500/attachment.html>


More information about the Emerging-sigs mailing list