[Snort-users] Detecting w3af scans
jlay at ...13475...
Wed Sep 30 14:35:35 EDT 2015
On 2015-09-30 11:48 AM, Bruno Pepper wrote:
> Thanks Albert in advance.
> figured - "apt-get install snort" thats why the older version.
> Snort Version:
> Version 22.214.171.124 GRE (Build 47)
> Snort Command:
> snort -d -i eth0 -A console -c /etc/snort/snort.conf -l
> Prospect signature:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN
> w3af User Agent"; flow: established,to_server;
> content:"User-Agent|3a| w3af.sourceforge.net "; http_header;
> fast_pattern:only; reference:url,w3af.sourceforge.net ;
> reference:url,doc.emergingthreats.net/2007757 ;
> classtype:attempted-recon; sid:2007757; rev:12;)
> Attached the PCAP and snort.conf
> All the help, much appreciated.
> On Wed, Sep 30, 2015 at 9:35 PM, Al Lewis (allewi) <allewi at ...589...>
>> Any reason why you aren't using the latest snort version (126.96.36.199)?
>> 2.9.6 is pretty outdated.
>> Do you have a conf and pcap you can share that isn't working?
>> Albert Lewis
>> QA Software Engineer
>> SOURCEfire, Inc. now part of Cisco
>> 9780 Patuxent Woods Drive
>> Columbia, MD 21046
>> Phone: (office) 443.430.7112
>> Email: allewi at ...589...
>> -----Original Message-----
>> From: Bruno PEPPER [mailto:laplum3n0ir at ...11827...]
>> Sent: Wednesday, September 30, 2015 11:45 AM
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] Detecting w3af scans
>> Importance: High
>> I am running snort (188.8.131.52 GRE (Build 47)) on ubuntu 14.04 in the
>> IDS mode along with ET rules for 2.9
>> The snort command:
>> snort -d -i eth1 -c /etc/snort/snort.conf -l /var/log/snort -A
>> sid-msg.map:2007757 || ET SCAN w3af User Agent ||
>> url,doc.emergingthreats.net/2007757  || url,w3af.sourceforge.net
>> sid-msg.map:2011027 || ET SCAN w3af Scan In Progress ARGENTINA Req
>> Method || url,doc.emergingthreats.net/2011027  ||
>> url,w3af.sourceforge.net 
>> sid-msg.map:2011389 || ET SCAN w3af Scan Remote File Include
>> Retrieval || url,w3af.sourceforge.net 
>> Still unable to detect these scans, infact this seems to be the
>> case with a standard SQLMap as well.
>> Any / all help is welcome :)
Your source and destination are in the same netblock...change
"$EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS" to "any any -> any any"
for testing. Also add -k to your command line to nuke checksums.
More information about the Snort-users