[Snort-sigs] Multiple recon sigs

Y M snort at outlook.com
Fri Apr 27 11:36:36 EDT 2018


Hi,

I'm not sure if these signatures qualify for submission, but I am posting them anyway just in case someone finds them useful. The pcaps for the MikroTik Winbox are available, and an AppID detector will be posted to the appid list.

# Date: 2018-04-22
# Title: Drupal Web Server Recon
# Reference: https://twitter.com/GreyNoiseIO/status/980867618075758593
# Tests: Live Traffic
alert tcp $EXTERNAL_NET any -> HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal web server recon attempt"; flow:to_server,established; content:"/RELEASE-NOTES.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,twitter.com/GreyNoiseIO/status/980867618075758593; classtype:attempted-recon; sid:8000014; rev:1;)
# --------------------
# Date: 2018-04-22
# Title: MikroTik Winbox App/Protocol Connection
# Reference: Research
alert tcp $EXTERNAL_NET any -> HOME_NET 8291 (msg:"SERVER-OTHER MikroTik Winbox recon attempt"; flow:to_server,established; content:"|00 00 21 04 6C 69 73 74 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:8000015; rev:1;)
# --------------------
# Date: 2018-04-27
# Title: Scanning for TemperatureGuard IP-enabled thermostats
# Reference: https://twitter.com/GreyNoiseIO/status/989750700346261505
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TemperatureGuard configuration access attempt"; flow:to_server,established; content:"/secure/ltx_conf.htm"; fast_pattern:only; http_uri; metadata:ruleset community; reference:url,twitter.com/GreyNoiseIO/status/989750700346261505; reference:url,www.temperatureguard.com/Documentation/Manuals/M305-M306%20Getting%20Started.pdf; classtype:attempted-recon; sid:8000017; rev:1;)
# --------------------
# Date: 2018-04-27
# Title: Scanning for Dahua IP Camera configuration
# Reference: https://twitter.com/GreyNoiseIO/status/989749601694445574
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dahua IP Camera configuration access attempt"; flow:to_server,established; content:"/current_config/passwd"; fast_pattern:only; http_uri; metadata:ruleset community; reference:url,twitter.com/GreyNoiseIO/status/989749601694445574; reference:url,gist.github.com/avelardi/1338d9d7be0344ab7f4280618930cd0d; classtype:attempted-recon; sid:8000018; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180427/262b9909/attachment.html>


More information about the Snort-sigs mailing list