<div dir="ltr">Joel,<div><br></div><div>Sounds good to me.</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">--<br>Josh Williams<br>Detection Response Team<br>TALOS Security Group</div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Sun, Jan 8, 2017 at 12:24 PM, Joel Esler (jesler) <span dir="ltr"><<a href="mailto:jesler@...3865..." target="_blank">jesler@...3865...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div style="word-wrap:break-word">
Josh,
<div><br>
</div>
<div>Let’s move those rules into community.</div>
<div><br>
</div>
<div><span class=""><br>
<div>
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div><b style="font-family:Calibri,sans-serif;font-size:10px"><font color="#5e5e5e">--</font></b></div>
<div style="font-size:14px"><b style="font-family:Calibri,sans-serif;font-size:12px"><font color="#5e5e5e">Joel Esler </font></b><span style="font-family:Calibri,sans-serif;font-size:12px">| </span><b style="font-family:Calibri,sans-serif;font-size:12px"><font color="#0096ff">Talos:</font></b><span style="font-family:Calibri,sans-serif;font-size:12px"> M</span><font color="#424242" style="font-family:Calibri,sans-serif;font-size:12px">anager
 | <a href="mailto:jesler@...3865..." target="_blank">jesler@...3857...65...</a></font></div>
<div><font color="#424242" style="font-family:Calibri,sans-serif;font-size:10px"><br>
</font></div>
</div>
<br class="m_-6098374098617937921Apple-interchange-newline">
</div>
<br class="m_-6098374098617937921Apple-interchange-newline">
</div>
<br class="m_-6098374098617937921Apple-interchange-newline">
<br class="m_-6098374098617937921Apple-interchange-newline">
</div>
<br>
</span><div>
<blockquote type="cite"><div><div class="h5">
<div>On Jan 6, 2017, at 2:52 PM, <a href="mailto:lists@...3397..." target="_blank">
lists@...3397...</a> wrote:</div>
<br class="m_-6098374098617937921Apple-interchange-newline">
</div></div><div>
<div><div><div class="h5">Cool, no worries.  Cheers guys.<br>
<br>
On 01/06/17 13:13, Joshua Williams wrote:<br>
<blockquote type="cite">Nathan,<br>
<br>
Thanks for the submission. After careful consideration, we are going to hold off<br>
on using these rules. While the new rules would work, the 9 rules we already<br>
have in place already alert. We could technically add tons of different rules<br>
that detect Acunetix scanning, but at the end of the day the traffic is already<br>
triggering an alert. Thanks for letting us know!<br>
<br>
--<br>
Josh Williams<br>
Detection Response Team<br>
TALOS Security Group<br>
<br>
On Tue, Jan 3, 2017 at 3:44 PM, <<a href="mailto:lists@...3397..." target="_blank">lists@...3397...</a><br>
<<a href="mailto:lists@...3397..." target="_blank">mailto:lists@...3320...397...</a>>> wrote:<br>
<br>
   No worries, Happy GNU Year ;)<br>
<br>
   On 01/03/17 14:39, Joshua Williams wrote:<br>
<blockquote type="cite">Nathan,<br>
<br>
Thanks for the submission. Sorry for the delay, I've been out of the office for<br>
a little bit. I'll review these and get back to you once they've finished testing.<br>
<br>
--<br>
Josh Williams<br>
Detection Response Team<br>
TALOS Security Group<br>
<br>
On Wed, Dec 28, 2016 at 11:58 AM, <<a href="mailto:lists@...3397..." target="_blank">lists@...3397...</a> <<a href="mailto:lists@...3407...." target="_blank">mailto:lists@...3397...</a>><br>
<<a href="mailto:lists@...3397..." target="_blank">mailto:lists@...3320...397...</a> <<a href="mailto:lists@...3397..." target="_blank">mailto:lists@...3397...</a>>><wbr>> wrote:<br>
<br>
   In hindsight, classtype:web-application-<wbr>attack; may make more sense.<br>
<br>
   On 12/28/16 10:47, <a href="mailto:lists@...3397..." target="_blank">lists@...3397...</a> <<a href="mailto:lists@...3397..." target="_blank">mailto:lists@...3397...</a>><br>
</blockquote>
   <<a href="mailto:lists@...3397..." target="_blank">mailto:lists@...4214...<wbr>net</a> <<a href="mailto:lists@...3397..." target="_blank">mailto:lists@...3397...</a>>> wrote:<br>
<blockquote type="cite">
<blockquote type="cite">I did not see similar in the VRT ruleset and wanted to propose the following for<br>
inclusion into the VRT COMMUNITY ruleset.  I am unable to share a PCAP due to<br>
confidentiality, however, these should match:<br>
<br>
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY<br>
Acunetix scan in progress acunetix_wvs_security_test in http_uri";<br>
flow:established,to_server; content:"acunetix_wvs_<wbr>security_test"; http_uri;<br>
fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src;<br>
reference:url,<a href="http://www.acunetix.com/" target="_blank">www.acunetix.<wbr>com/</a> <<a href="http://www.acunetix.com/" target="_blank">http://www.acunetix.com/</a>><br>
</blockquote>
</blockquote>
   <<a href="http://www.acunetix.com/" target="_blank">http://www.acunetix.com/</a>>; classtype:attempted-recon;<br>
<blockquote type="cite">   sid:X; rev:1;)<br>
<blockquote type="cite"><br>
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY<br>
Acunetix scan in progress acunetix variable in http_uri";<br>
flow:established,to_server; content:"|24|acunetix"; http_uri; fast_pattern:only;<br>
threshold: type limit, count 1, seconds 60, track by_src;<br>
reference:url,<a href="http://www.acunetix.com/" target="_blank">www.acunetix.<wbr>com/</a> <<a href="http://www.acunetix.com/" target="_blank">http://www.acunetix.com/</a>><br>
</blockquote>
</blockquote>
   <<a href="http://www.acunetix.com/" target="_blank">http://www.acunetix.com/</a>>; classtype:attempted-recon;<br>
<blockquote type="cite">   sid:X; rev:1;)<br>
<blockquote type="cite"><br>
<br>
</blockquote>
<br>
<br>
<br>
   ---------------------------<wbr>------------------------------<wbr>---------------------<br>
   Check out the vibrant tech community on one of the world's most<br>
   engaging tech sites, <a href="http://SlashDot.org" target="_blank">SlashDot.org</a>! <a href="http://sdm.link/slashdot" target="_blank">
http://sdm.link/slashdot</a><br>
   ___________________________<wbr>____________________<br>
   Snort-sigs mailing list<br>
   <a href="mailto:Snort-sigs@lists.sourceforge.net" target="_blank">Snort-sigs@...2570...<wbr>sourceforge.net</a><br>
</blockquote>
   <<a href="mailto:Snort-sigs@lists.sourceforge.net" target="_blank">mailto:Snort-sigs@...2570...<wbr>sourceforge.net</a>><br>
   <<a href="mailto:Snort-sigs@lists.sourceforge.net" target="_blank">mailto:Snort-sigs@...2570...<wbr>sourceforge.net</a><br>
   <<a href="mailto:Snort-sigs@lists.sourceforge.net" target="_blank">mailto:Snort-sigs@...2570...<wbr>sourceforge.net</a>>><br>
<blockquote type="cite">   <a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.<wbr>net/lists/listinfo/snort-sigs</a><br>
</blockquote>
   <<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.<wbr>net/lists/listinfo/snort-sigs</a>><br>
<blockquote type="cite">   <<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.<wbr>net/lists/listinfo/snort-sigs</a><br>
</blockquote>
   <<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.<wbr>net/lists/listinfo/snort-sigs</a>><wbr>><br>
<blockquote type="cite"><br>
   <a href="http://www.snort.org" target="_blank">http://www.snort.org</a><br>
<br>
   Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
<br>
   Visit the <a href="http://Snort.org" target="_blank">Snort.org</a> to subscribe to the official Snort ruleset, make<br>
</blockquote>
   sure to<br>
<blockquote type="cite">   stay up to date to catch the most <a href="<br>
   <a href="https://snort.org/downloads/#rule-downloads" target="_blank">https://snort.org/<wbr>downloads/#rule-downloads</a><br>
</blockquote>
   <<a href="https://snort.org/downloads/#rule-downloads" target="_blank">https://snort.org/<wbr>downloads/#rule-downloads</a>><br>
<blockquote type="cite">   <<a href="https://snort.org/downloads/#rule-downloads" target="_blank">https://snort.org/<wbr>downloads/#rule-downloads</a><br>
</blockquote>
   <<a href="https://snort.org/downloads/#rule-downloads" target="_blank">https://snort.org/<wbr>downloads/#rule-downloads</a>>>"><wbr>emerging threats</a>!<br>
<blockquote type="cite"><br>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br>
------------------------------<wbr>------------------------------<wbr>------------------<br>
Check out the vibrant tech community on one of the world's most <br>
engaging tech sites, <a href="http://SlashDot.org" target="_blank">SlashDot.org</a>! <a href="http://sdm.link/slashdot" target="_blank">
http://sdm.link/slashdot</a><br>
______________________________<wbr>_________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net" target="_blank">Snort-sigs@...1744...<wbr>net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-sigs</a><br>
<br>
<a href="http://www.snort.org" target="_blank">http://www.snort.org</a><br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
<br></div></div>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" <a href="https://snort.org/downloads/#rule-downloads" target="_blank">https://snort.org/downloads/#<wbr>rule-downloads</a>">emerging threats</a>!<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>

</blockquote></div><br></div>