[Snort-sigs] Proposed Rules for Acunetix Scanner

lists at ...3397... lists at ...3397...
Wed Dec 28 11:58:43 EST 2016


In hindsight, classtype:web-application-attack; may make more sense.

On 12/28/16 10:47, lists at ...3397... wrote:
> I did not see similar in the VRT ruleset and wanted to propose the following for
> inclusion into the VRT COMMUNITY ruleset.  I am unable to share a PCAP due to
> confidentiality, however, these should match:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY
> Acunetix scan in progress acunetix_wvs_security_test in http_uri";
> flow:established,to_server; content:"acunetix_wvs_security_test"; http_uri;
> fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src;
> reference:url,www.acunetix.com/; classtype:attempted-recon; sid:X; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY
> Acunetix scan in progress acunetix variable in http_uri";
> flow:established,to_server; content:"|24|acunetix"; http_uri; fast_pattern:only;
> threshold: type limit, count 1, seconds 60, track by_src;
> reference:url,www.acunetix.com/; classtype:attempted-recon; sid:X; rev:1;)
>
>






More information about the Snort-sigs mailing list