[Snort-sigs] ShodanHQ Rule

Geoff Serrao geoff.serrao at ...2420...
Tue Oct 22 16:50:18 EDT 2013

While browsing Shodanhq.com I wondered if shodan sent along the http
"Referer" header when clicking on search result links.

Sure enough, shodan passes along the http referer with the client request:

Referer: http://www.shodanhq.com/search?q=vulnerable-software

Shodanhq only indexes services listening on the following ports, so only
dest port 80 is necessary.

HTTP (80) FTP (21) SSH (22) SNMP (161) SIP (5060)

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"RECON HTTP Request with
ShodanHQ.com/search?q= in HTTP Referer header."; \
flow:established, to_server; \
content:"Referer: http://www.shodanhq.com/search?q=", http_header; \
reference: url, http://www.shodanhq.com/search?q=vulnerable-software;
classtype: attempted-recon;)

I don't know how practical this rule is, but It would be interesting to see
if any sysadmins were to implement this rule and learn if they are listed
somewhere on shodan.

Pages increment like this:
http://www.shodanhq.com/search?q=linksys&page=2so we should be good
with that content match.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131022/a7c09fac/attachment.html>

More information about the Snort-sigs mailing list