[Snort-sigs] Proposed Rules for Acunetix Scanner

Joel Esler (jesler) jesler at ...3865...
Sun Jan 8 12:24:23 EST 2017


Josh,

Let’s move those rules into community.


--
Joel Esler | Talos: Manager | jesler at ...3865...<mailto:jesler at ...3865...>






On Jan 6, 2017, at 2:52 PM, lists at ...3397...<mailto:lists at ...3397...> wrote:

Cool, no worries.  Cheers guys.

On 01/06/17 13:13, Joshua Williams wrote:
Nathan,

Thanks for the submission. After careful consideration, we are going to hold off
on using these rules. While the new rules would work, the 9 rules we already
have in place already alert. We could technically add tons of different rules
that detect Acunetix scanning, but at the end of the day the traffic is already
triggering an alert. Thanks for letting us know!

--
Josh Williams
Detection Response Team
TALOS Security Group

On Tue, Jan 3, 2017 at 3:44 PM, <lists at ...3397...<mailto:lists at ...3397...>
<mailto:lists at ...3397...>> wrote:

   No worries, Happy GNU Year ;)

   On 01/03/17 14:39, Joshua Williams wrote:
Nathan,

Thanks for the submission. Sorry for the delay, I've been out of the office for
a little bit. I'll review these and get back to you once they've finished testing.

--
Josh Williams
Detection Response Team
TALOS Security Group

On Wed, Dec 28, 2016 at 11:58 AM, <lists at ...3397...<mailto:lists at ...3397...> <mailto:lists at ...3397...>
<mailto:lists at ...3397... <mailto:lists at ...3397...>>> wrote:

   In hindsight, classtype:web-application-attack; may make more sense.

   On 12/28/16 10:47, lists at ...3397...<mailto:lists at ...3397...> <mailto:lists at ...3397...>
   <mailto:lists at ...3397... <mailto:lists at ...3397...>> wrote:
I did not see similar in the VRT ruleset and wanted to propose the following for
inclusion into the VRT COMMUNITY ruleset.  I am unable to share a PCAP due to
confidentiality, however, these should match:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY
Acunetix scan in progress acunetix_wvs_security_test in http_uri";
flow:established,to_server; content:"acunetix_wvs_security_test"; http_uri;
fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src;
reference:url,www.acunetix.com/<http://www.acunetix.com/> <http://www.acunetix.com/>
   <http://www.acunetix.com/>; classtype:attempted-recon;
   sid:X; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY
Acunetix scan in progress acunetix variable in http_uri";
flow:established,to_server; content:"|24|acunetix"; http_uri; fast_pattern:only;
threshold: type limit, count 1, seconds 60, track by_src;
reference:url,www.acunetix.com/<http://www.acunetix.com/> <http://www.acunetix.com/>
   <http://www.acunetix.com/>; classtype:attempted-recon;
   sid:X; rev:1;)





   ------------------------------------------------------------------------------
   Check out the vibrant tech community on one of the world's most
   engaging tech sites, SlashDot.org<http://SlashDot.org>! http://sdm.link/slashdot
   _______________________________________________
   Snort-sigs mailing list
   Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
   <mailto:Snort-sigs at lists.sourceforge.net>
   <mailto:Snort-sigs at lists.sourceforge.net
   <mailto:Snort-sigs at lists.sourceforge.net>>
   https://lists.sourceforge.net/lists/listinfo/snort-sigs
   <https://lists.sourceforge.net/lists/listinfo/snort-sigs>
   <https://lists.sourceforge.net/lists/listinfo/snort-sigs
   <https://lists.sourceforge.net/lists/listinfo/snort-sigs>>

   http://www.snort.org

   Please visit http://blog.snort.org for the latest news about Snort!

   Visit the Snort.org<http://Snort.org> to subscribe to the official Snort ruleset, make
   sure to
   stay up to date to catch the most <a href="
   https://snort.org/downloads/#rule-downloads
   <https://snort.org/downloads/#rule-downloads>
   <https://snort.org/downloads/#rule-downloads
   <https://snort.org/downloads/#rule-downloads>>">emerging threats</a>!






------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org<http://SlashDot.org>! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170108/c5e8840b/attachment.html>


More information about the Snort-sigs mailing list