[Snort-sigs] ShodanHQ Rule

Geoffrey Serrao gserrao at ...435...
Tue Oct 22 17:20:55 EDT 2013


The intent is to trigger an alert when a potential attacker visits your
webserver which he/she found using the shodanhq search engine.

I'm not sure if the rule is totally 100% practical. But thought I'd share
anyway.


On Tue, Oct 22, 2013 at 5:07 PM, Joel Esler <jesler at ...435...> wrote:

> Geoff,
>
> I’m confused about what you are trying to detect.  Are you trying to
> detect Shodan indexing the services on *your* network?  Is that the
> intent of the rule?
>
>
> On Oct 22, 2013, at 4:50 PM, Geoff Serrao <geoff.serrao at ...2420...> wrote:
>
> While browsing Shodanhq.com I wondered if shodan sent along the http
> "Referer" header when clicking on search result links.
>
> Sure enough, shodan passes along the http referer with the client request:
>
> Referer: http://www.shodanhq.com/search?q=vulnerable-software
>
> Shodanhq only indexes services listening on the following ports, so only
> dest port 80 is necessary.
>
> HTTP (80) FTP (21) SSH (22) SNMP (161) SIP (5060)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"RECON HTTP Request with
> ShodanHQ.com/search?q= in HTTP Referer header."; \
> flow:established, to_server; \
> content:"Referer: http://www.shodanhq.com/search?q=", http_header; \
> reference: url, http://www.shodanhq.com/search?q=vulnerable-software;
> classtype: attempted-recon;)
>
> I don't know how practical this rule is, but It would be interesting to
> see if any sysadmins were to implement this rule and learn if they are
> listed somewhere on shodan.
>
> Pages increment like this: http://www.shodanhq.com/search?q=linksys&page=2so we should be good with that content match.
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
>
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Geoffrey J. Serrao
SOURCEfire Technical Support
My office hours are 10:00 AM to 7:00 PM Eastern time, Monday - Friday. If
you need assistance outside of these hours, please contact
support at ...435... and another engineer will respond.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131022/d3afbffa/attachment.html>


More information about the Snort-sigs mailing list