[Snort-users] Detecting w3af scans

James Lay jlay at ...13475...
Wed Sep 30 14:35:35 EDT 2015


On 2015-09-30 11:48 AM, Bruno Pepper wrote:
> Thanks Albert in advance.
> 
> figured - "apt-get install snort" thats why the older version.
> 
> Snort Version:
> Version 2.9.6.0 GRE (Build 47)
> 
> Snort Command:
> snort -d -i eth0 -A console -c /etc/snort/snort.conf -l
> /var/log/snort/
> 
> Prospect signature:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN
> w3af User Agent"; flow: established,to_server;
> content:"User-Agent|3a| w3af.sourceforge.net [7]"; http_header;
> fast_pattern:only; reference:url,w3af.sourceforge.net [7];
> reference:url,doc.emergingthreats.net/2007757 [1];
> classtype:attempted-recon; sid:2007757; rev:12;)
> 
> Attached the PCAP and snort.conf
> 
> All the help, much appreciated.
> 
> Bruno
> 
> On Wed, Sep 30, 2015 at 9:35 PM, Al Lewis (allewi) <allewi at ...589...>
> wrote:
> 
>> Any reason why you aren't using the latest snort version (2.9.7.5)?
>> 2.9.6 is pretty outdated.
>> 
>> Do you have a conf and pcap you can share that isn't working?
>> 
>> Thanks!
>> 
>> Albert Lewis
>> QA Software Engineer
>> SOURCEfire, Inc. now part of Cisco
>> 9780 Patuxent Woods Drive
>> Columbia, MD 21046
>> Phone: (office) 443.430.7112
>> Email: allewi at ...589...
>> 
>> -----Original Message-----
>> From: Bruno PEPPER [mailto:laplum3n0ir at ...11827...]
>> Sent: Wednesday, September 30, 2015 11:45 AM
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] Detecting w3af scans
>> Importance: High
>> 
>> Hi,
>> 
>> I am running snort (2.9.6.0 GRE (Build 47)) on ubuntu 14.04 in the
>> IDS mode along with ET rules for 2.9
>> 
>> The snort command:
>> snort -d -i eth1 -c /etc/snort/snort.conf -l /var/log/snort -A
>> console
>> 
>> Emergingrules:
>> sid-msg.map:2007757 || ET SCAN w3af User Agent ||
>> url,doc.emergingthreats.net/2007757 [1] || url,w3af.sourceforge.net
>> [2]
>> sid-msg.map:2011027 || ET SCAN w3af Scan In Progress ARGENTINA Req
>> Method || url,doc.emergingthreats.net/2011027 [3] ||
>> url,w3af.sourceforge.net [2]
>> sid-msg.map:2011389 || ET SCAN w3af Scan Remote File Include
>> Retrieval || url,w3af.sourceforge.net [2]
>> 
>> Still unable to detect these scans, infact this seems to be the
>> case with a standard SQLMap as well.
>> 
>> Any / all help is welcome :)
>> 
>> Bruno.

Your source and destination are in the same netblock...change 
"$EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS" to "any any -> any any" 
for testing.  Also add -k to your command line to nuke checksums.

James





More information about the Snort-users mailing list