[Snort-users] Detecting w3af scans

Bruno PEPPER laplum3n0ir at ...11827...
Wed Sep 30 11:45:09 EDT 2015


I am running snort ( GRE (Build 47)) on ubuntu 14.04 in the IDS mode along with ET rules for 2.9

The snort command:
snort -d -i eth1 -c /etc/snort/snort.conf -l /var/log/snort -A console

sid-msg.map:2007757 || ET SCAN w3af User Agent || url,doc.emergingthreats.net/2007757 || url,w3af.sourceforge.net
sid-msg.map:2011027 || ET SCAN w3af Scan In Progress ARGENTINA Req Method || url,doc.emergingthreats.net/2011027 || url,w3af.sourceforge.net
sid-msg.map:2011389 || ET SCAN w3af Scan Remote File Include Retrieval || url,w3af.sourceforge.net

Still unable to detect these scans, infact this seems to be the case with a standard SQLMap as well.

Any / all help is welcome :)


More information about the Snort-users mailing list