Snort mailing list archives
Re: Proposed Rules for Acunetix Scanner
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Sun, 8 Jan 2017 17:24:23 +0000
Josh, Let’s move those rules into community. -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On Jan 6, 2017, at 2:52 PM, lists () packetmail net<mailto:lists () packetmail net> wrote: Cool, no worries. Cheers guys. On 01/06/17 13:13, Joshua Williams wrote: Nathan, Thanks for the submission. After careful consideration, we are going to hold off on using these rules. While the new rules would work, the 9 rules we already have in place already alert. We could technically add tons of different rules that detect Acunetix scanning, but at the end of the day the traffic is already triggering an alert. Thanks for letting us know! -- Josh Williams Detection Response Team TALOS Security Group On Tue, Jan 3, 2017 at 3:44 PM, <lists () packetmail net<mailto:lists () packetmail net> <mailto:lists () packetmail net>> wrote: No worries, Happy GNU Year ;) On 01/03/17 14:39, Joshua Williams wrote: Nathan, Thanks for the submission. Sorry for the delay, I've been out of the office for a little bit. I'll review these and get back to you once they've finished testing. -- Josh Williams Detection Response Team TALOS Security Group On Wed, Dec 28, 2016 at 11:58 AM, <lists () packetmail net<mailto:lists () packetmail net> <mailto:lists () packetmail net> <mailto:lists () packetmail net <mailto:lists () packetmail net>>> wrote: In hindsight, classtype:web-application-attack; may make more sense. On 12/28/16 10:47, lists () packetmail net<mailto:lists () packetmail net> <mailto:lists () packetmail net> <mailto:lists () packetmail net <mailto:lists () packetmail net>> wrote: I did not see similar in the VRT ruleset and wanted to propose the following for inclusion into the VRT COMMUNITY ruleset. I am unable to share a PCAP due to confidentiality, however, these should match: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY Acunetix scan in progress acunetix_wvs_security_test in http_uri"; flow:established,to_server; content:"acunetix_wvs_security_test"; http_uri; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/<http://www.acunetix.com/> <http://www.acunetix.com/> <http://www.acunetix.com/>; classtype:attempted-recon; sid:X; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"VRT COMMUNITY Acunetix scan in progress acunetix variable in http_uri"; flow:established,to_server; content:"|24|acunetix"; http_uri; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/<http://www.acunetix.com/> <http://www.acunetix.com/> <http://www.acunetix.com/>; classtype:attempted-recon; sid:X; rev:1;) ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org<http://SlashDot.org>! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> <mailto:Snort-sigs () lists sourceforge net> <mailto:Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net>> https://lists.sourceforge.net/lists/listinfo/snort-sigs <https://lists.sourceforge.net/lists/listinfo/snort-sigs> <https://lists.sourceforge.net/lists/listinfo/snort-sigs <https://lists.sourceforge.net/lists/listinfo/snort-sigs>> http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org<http://Snort.org> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads> <https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>>">emerging threats</a>! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org<http://SlashDot.org>! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Re: Proposed Rules for Acunetix Scanner Joshua Williams (Jan 03)
- Re: Proposed Rules for Acunetix Scanner lists (Jan 03)
- <Possible follow-ups>
- Re: Proposed Rules for Acunetix Scanner lists (Jan 06)
- Re: Proposed Rules for Acunetix Scanner Joel Esler (jesler) (Jan 08)
- Re: Proposed Rules for Acunetix Scanner Joshua Williams (Jan 10)
- Re: Proposed Rules for Acunetix Scanner Joel Esler (jesler) (Jan 08)