[Snort-sigs] ShodanHQ Rule

Joel Esler jesler at ...435...
Tue Oct 22 17:07:55 EDT 2013


I’m confused about what you are trying to detect.  Are you trying to detect Shodan indexing the services on your network?  Is that the intent of the rule?

On Oct 22, 2013, at 4:50 PM, Geoff Serrao <geoff.serrao at ...2420...> wrote:

> While browsing Shodanhq.com I wondered if shodan sent along the http "Referer" header when clicking on search result links. 
> Sure enough, shodan passes along the http referer with the client request: 
> Referer: http://www.shodanhq.com/search?q=vulnerable-software
> Shodanhq only indexes services listening on the following ports, so only dest port 80 is necessary. 
> HTTP (80) FTP (21) SSH (22) SNMP (161) SIP (5060) 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"RECON HTTP Request with ShodanHQ.com/search?q= in HTTP Referer header."; \
> flow:established, to_server; \
> content:"Referer: http://www.shodanhq.com/search?q=", http_header; \
> reference: url, http://www.shodanhq.com/search?q=vulnerable-software; classtype: attempted-recon;)
> I don't know how practical this rule is, but It would be interesting to see if any sysadmins were to implement this rule and learn if they are listed somewhere on shodan.
> Pages increment like this: http://www.shodanhq.com/search?q=linksys&page=2 so we should be good with that content match.
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131022/ca78f9b6/attachment.html>

More information about the Snort-sigs mailing list