[Snort-sigs] flowbits: acunetix.scanner

waldo kitty wkitty42 at ...3507...
Wed May 29 10:57:47 EDT 2013


there is no check rule in the *.rules files for flowbits: acunetix.scanner...


registered subscriber using latest rules pulled 26 May 2013 for

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.4.1 GRE (Build 69)
    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
            Using libpcap version 1.1.1
            Using PCRE version: 7.8 2008-09-05
            Using ZLIB version: 1.2.6



May 26 04:25:44 frodo snort[22314]: WARNING: flowbits key 'acunetix.scanner' is 
set but not ever checked.


$ grep -E "acunetix.scanner" /path/to/snort/*rules*/*.rules

/path/to/snort/rules/app-detect.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 
$HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scan attempt"; 
flow:to_server,established; content:"Acunetix-"; fast_pattern:only; http_header; 
flowbits:set,acunetix.scanner; metadata:service http; 
reference:url,www.acunetix.com; classtype:web-application-attack; sid:25358; rev:1;)


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-sigs mailing list