[Snort-users] Detecting w3af scans

Bruno Pepper laplum3n0ir at ...11827...
Wed Sep 30 13:48:07 EDT 2015


Thanks Albert in advance.

figured - "apt-get install snort" thats why the older version.

Snort Version:
Version 2.9.6.0 GRE (Build 47)

Snort Command:
snort -d -i eth0 -A console -c /etc/snort/snort.conf -l /var/log/snort/

Prospect signature:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af
User Agent"; flow: established,to_server;  content:"User-Agent|3a|
w3af.sourceforge.net"; http_header; fast_pattern:only; reference:url,
w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757;
classtype:attempted-recon; sid:2007757; rev:12;)

Attached the PCAP and snort.conf

All the help, much appreciated.

Bruno

On Wed, Sep 30, 2015 at 9:35 PM, Al Lewis (allewi) <allewi at ...589...> wrote:

> Any reason why you aren't using the latest snort version (2.9.7.5)? 2.9.6
> is pretty outdated.
>
> Do you have a conf and pcap you can share that isn't working?
>
> Thanks!
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi at ...589...
>
> -----Original Message-----
> From: Bruno PEPPER [mailto:laplum3n0ir at ...11827...]
> Sent: Wednesday, September 30, 2015 11:45 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Detecting w3af scans
> Importance: High
>
> Hi,
>
> I am running snort (2.9.6.0 GRE (Build 47)) on ubuntu 14.04 in the IDS
> mode along with ET rules for 2.9
>
> The snort command:
> snort -d -i eth1 -c /etc/snort/snort.conf -l /var/log/snort -A console
>
> Emergingrules:
> sid-msg.map:2007757 || ET SCAN w3af User Agent || url,
> doc.emergingthreats.net/2007757 || url,w3af.sourceforge.net
> sid-msg.map:2011027 || ET SCAN w3af Scan In Progress ARGENTINA Req Method
> || url,doc.emergingthreats.net/2011027 || url,w3af.sourceforge.net
> sid-msg.map:2011389 || ET SCAN w3af Scan Remote File Include Retrieval ||
> url,w3af.sourceforge.net
>
> Still unable to detect these scans, infact this seems to be the case with
> a standard SQLMap as well.
>
> Any / all help is welcome :)
>
> Bruno.
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150930/48a12bb4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit1.pcap
Type: application/octet-stream
Size: 1811816 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150930/48a12bb4/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 32257 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150930/48a12bb4/attachment-0001.obj>


More information about the Snort-users mailing list