[Snort-users] Detecting w3af scans

Al Lewis (allewi) allewi at ...589...
Wed Sep 30 12:05:28 EDT 2015


Any reason why you aren't using the latest snort version (2.9.7.5)? 2.9.6 is pretty outdated.

Do you have a conf and pcap you can share that isn't working?

Thanks!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...589... 

-----Original Message-----
From: Bruno PEPPER [mailto:laplum3n0ir at ...11827...] 
Sent: Wednesday, September 30, 2015 11:45 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Detecting w3af scans
Importance: High

Hi,

I am running snort (2.9.6.0 GRE (Build 47)) on ubuntu 14.04 in the IDS mode along with ET rules for 2.9

The snort command:
snort -d -i eth1 -c /etc/snort/snort.conf -l /var/log/snort -A console

Emergingrules: 
sid-msg.map:2007757 || ET SCAN w3af User Agent || url,doc.emergingthreats.net/2007757 || url,w3af.sourceforge.net
sid-msg.map:2011027 || ET SCAN w3af Scan In Progress ARGENTINA Req Method || url,doc.emergingthreats.net/2011027 || url,w3af.sourceforge.net
sid-msg.map:2011389 || ET SCAN w3af Scan Remote File Include Retrieval || url,w3af.sourceforge.net

Still unable to detect these scans, infact this seems to be the case with a standard SQLMap as well.

Any / all help is welcome :)

Bruno.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list