# # $Id: emerging-scan.rules $ # Emerging Threats scan rules. # # SID's are 2000000+ to avoid conflicts # # More information available at www.emergingthreats.net # # Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2010, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #by Kevin Ross alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35, seconds 60; classtype:attempted-recon; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/2009749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403; sid:2009749; rev:2;) #by David Wharton alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Absinthe SQL Injection Tool HTTP Header Detected"; flow:established,to_server; content:"|0d 0a|User|2D|Agent|3A 20|Absinthe"; nocase; classtype:attempted-recon; reference:url,0x90.org/releases/absinthe; reference:url,doc.emergingthreats.net/2009555; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Absinthe; sid:2009555; rev:2;) #by Kevin Ross #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Acunetix Version 6 Crawl/Scan Detected"; flow:to_server,established; uricontent:"/acunetix-wvs-test-for-some-inexistent-file"; threshold: type threshold, track by_dst, count 2, seconds 5; classtype:attempted-recon; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2008571; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Acunetix; sid:2008571; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Acunetix Version 6 (Free Edition) Scan Detected"; flow:to_server,established; content:"(Acunetix Web Vulnerability Scanner - Free Edition)"; nocase; threshold: type limit, count 1, seconds 60, track by_src; classtype:attempted-recon; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2009646; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Acunetix; sid:2009646; rev:4;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap TCP Service Scan Detected"; flow:to_server; flags:PA; content:"service|3A|thc|3A 2F 2F|"; depth:105; content:"service|3A|thc"; within:40; classtype:attempted-recon; reference:url,freeworld.thc.org/thc-amap/; reference:url,doc.emergingthreats.net/2010371; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap; sid:2010371; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap UDP Service Scan Detected"; dsize:<135; content:"THCTHCTHCTHCTHC|20 20 20|"; classtype:attempted-recon; reference:url,freeworld.thc.org/thc-amap/; reference:url,doc.emergingthreats.net/2010372; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Amap; sid:2010372; rev:2;) #by Adam Pointon of Sentinel Security alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Watchfire AppScan Web App Vulnerability Scanner"; uricontent: "/appscan_fingerprint/mac_address"; nocase; flow:established,to_server; classtype:attempted-recon; reference:url,www.watchfire.com/products/appscan/default.aspx; reference:url,doc.emergingthreats.net/2008311; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_AppScan; sid:2008311; rev:3;) #by kevin ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Asp-Audit Web Scan Detected"; flow:to_server,established; content:"GET /?"; depth:80; classtype:attempted-recon; reference:url,www.hacker-soft.net/Soft/Soft_2895.htm; reference:url,wiki.remote-exploit.org/backtrack/wiki/asp-audit; reference:url,doc.emergingthreats.net/2009479; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_AspAudit; sid:2009479; rev:3;) #by Martin Holste alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Automated Injection Tool User-Agent (AutoGetColumn)"; flow:established,to_server; content:"|0d 0a|User-Agent\: AutoGetColumn"; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2009154; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_AutoGetColumn; sid:2009154; rev:5;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Brute Force Exploit Detector HTTP Buffer Overflow Detection"; flow:to_server,established; content:"HEAD AAAAAAAAAAAAAA"; content:"HTTP/1.0"; offset:30; distance:10; classtype:attempted-recon; reference:url,www.snake-basket.de/bed.html; reference:url,doc.emergingthreats.net/2008596; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_BED; sid:2008596; rev:2;) #by Michael Sconzo of ERCOT alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN bsqlbf Brute Force SQL Injection"; flow:established,to_server; content:"|0d 0a|User-Agent\: bsqlbf"; nocase; classtype:web-application-activity; reference:url,code.google.com/p/bsqlbf-v2/; reference:url,doc.emergingthreats.net/2008362; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_BSQLBF; sid:2008362; rev:2;) # These are intended to catch new worms and such scanning internally. Careful of falses. alert tcp $HOME_NET any -> $EXTERNAL_NET 3127 (msg:"ET SCAN Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor"; flags: S,12; threshold: type both, track by_src, count 10 , seconds 60; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002973; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Backdoors; sid: 2002973; rev:4;) #by Kevin Ross # CISCO TORCH SCAN DETECTION RULES alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET SCAN Cisco Torch TFTP Scan"; content:"|52 61 6E 64 30 6D 53 54 52 49 4E 47 00 6E 65 74 61 73 63 69 69|"; offset:2; depth:21; classtype:attempted-recon; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008414; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Cisco_Torch; sid:2008414; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Cisco Torch IOS HTTP Scan"; content:"|55 73 65 72 2d 41 67 65 6e 74 3a 20 43 69 73 63 6f 2d 74 6f 72 63 68 20 0d 0a|"; flow:to_server,established; classtype:attempted-recon; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008415; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Cisco_Torch; sid:2008415; rev:3;) alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SCAN Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; classtype:attempted-recon; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Cisco_Torch; sid:2008597; rev:2;) #by Jack Pepper alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Core-Project Scanning Bot UA Detected"; flow:established,to_server; content:"|0d 0a|User-Agent\: core-project/1.0"; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2008529; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Coreproject; sid:2008529; rev:2;) # Submitted 2006-10-30 by Frank Knobbe alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Crewbox Proxy Scan"; flow:established,to_server; uricontent:".php?"; nocase; uricontent:"crewbox.by.ru/crew/"; nocase; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2003156; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Crewscan; sid:2003156; rev:5;) #by Adam Pointon of Sentinel Security alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DEBUG Method Request with Command"; flow:established,to_server; content:"DEBUG "; depth:6; content:"|0d 0a|Command\: "; distance:0; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2008312; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_DEBUG_Method; sid:2008312; rev:2;) #by evilghost alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP Delphi, Likely Precursor to Scan"; itype:8; icode:0; content:"Pinging from Delphi code written"; classtype:misc-activity; reference:url,www.koders.com/delphi/fid942A4EAF946B244BD3CD9BC83FEAAC35BA1F38AB.aspx; reference:url,doc.emergingthreats.net/2010681; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Delphi; sid:2010681; rev:2;) #by Adam Pointon at Sentinel Data Security alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DirBuster Web App Scan in Progress"; flow:to_server,established; content:"|0d 0a|User-Agent\: DirBuster"; reference:url,owasp.org; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2008186; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_DirBuster; sid:2008186; rev:2;) #by Kevin Ross alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan"; content:"|00 00|"; content:"|06 0D 06 01 30 13 02 07 08|"; within:10; depth:40; classtype:attempted-recon; reference:url,sourceforge.net/projects/enumiax/; reference:url,doc.emergingthreats.net/2008606; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Enumiax; sid:2008606; rev:2;) # Submitted by Frank Knobbe #Note: These are more effective as pass rules to avoid getting hits on other rules that don't really apply. This is benign load balancer probe traffic. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN F5 BIG-IP 3DNS TCP Probe 1"; id: 1; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; classtype: misc-activity; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001609; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_F5_BIG-IP_Probe; sid: 2001609; rev:12;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN F5 BIG-IP 3DNS TCP Probe 2"; id: 2; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; classtype: misc-activity; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001610; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_F5_BIG-IP_Probe; sid: 2001610; rev:12;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN F5 BIG-IP 3DNS TCP Probe 3"; id: 3; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; classtype: misc-activity; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_F5_BIG-IP_Probe; sid: 2001611; rev:12;) #by atomic-penguin, tweak by matt Jonkman to cover other ftp daemons like freeftpd and warftpd alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user; threshold: type threshold, track by_dst, count 5, seconds 300; reference:url,doc.emergingthreats.net/2002383; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force; sid:2002383; rev:11;) #by kevin ross alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"root"; within:15; nocase; threshold: type threshold, track by_src, count 5, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2010642; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force; sid:2010642; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"administrator"; within:25; nocase; threshold: type threshold, track by_src, count 5, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2010643; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force; sid:2010643; rev:3;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Possible FTP Daemon Username SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"SELECT"; within:200; nocase; content:"FROM"; distance:0; nocase; pcre:"/SELECT.+FROM/i"; classtype:attempted-user; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009981; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_SQL_Injection; sid:2009981; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Possible FTP Daemon Username DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"DELETE"; within:200; nocase; content:"FROM"; distance:0; nocase; pcre:"/DELETE.+FROM/i"; classtype:attempted-user; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009982; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_SQL_Injection; sid:2009982; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Possible FTP Daemon Username INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"INSERT"; within:200; nocase; content:"INTO"; distance:0; nocase; pcre:"/INSERT.+INTO/i"; classtype:attempted-user; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009983; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_SQL_Injection; sid:2009983; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Possible FTP Daemon Username UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"UPDATE"; within:200; nocase; content:"SET"; distance:0; nocase; pcre:"/UPDATE.+SET/i"; classtype:attempted-user; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009984; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_SQL_Injection; sid:2009984; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Possible FTP Daemon Username UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"UNION"; within:200; nocase; content:"SELECT"; distance:0; nocase; pcre:"/UNION.+SELECT/i"; classtype:attempted-user; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009985; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_SQL_Injection; sid:2009985; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Possible FTP Daemon Username INTO OUTFILE SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"INTO"; within:200; nocase; content:"OUTFILE"; distance:0; nocase; pcre:"/INTO.+OUTFILE/i"; classtype:attempted-user; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010081; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_SQL_Injection; sid:2010081; rev:2;) #Matt Jonkman # Looking for brute forcing of mail services alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002992; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002992; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"ET SCAN Rapid POP3S Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002993; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002993; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002994; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002995; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002995; rev:6;) #Seen being used for vuln scanning. # The original script it's modified from is legitimate, so there may be some falses alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC Suspicious User-Agent - get-minimal - Possible Vuln Scan"; flow:established,to_server; content:"User-Agent\: get-minimal"; classtype:attempted-admin; reference:url,doc.emergingthreats.net/2003634; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Get-minimal_UA; sid:2003634; rev:4;) #by kevin ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Grabber.py Web Scan Detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: Grabber"; offset:110; depth:30; classtype:attempted-recon; reference:url,rgaucher.info/beta/grabber/; reference:url,doc.emergingthreats.net/2009483; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Grabber.py; sid:2009483; rev:2;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Grendel Web Scan - Default User Agent Detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/5.0 (compatible\; Grendel-Scan"; nocase; content:"http\://www.grendel-scan.com"; offset:90; distance:1; depth:55; nocase; threshold: type threshold, track by_dst, count 50, seconds 60; reference:url,www.grendel-scan.com; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2009480; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Grendel; sid:2009480; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Grendel Web Scan Detected"; flow:to_server,established; content:"GET /random"; nocase; depth:11; pcre:"/(html|bat|htm|vbs|do|xdl|htr|swf|wsdl|pl|php3|cfm|cgi|cfc|axd|asp)/Ui"; threshold: type threshold, track by_dst, count 20, seconds 40; reference:url,www.grendel-scan.com; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2009481; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Grendel; sid:2009481; rev:2;) #by JP Vossen and Safka : http://library.pantek.com/Mailing%20Lists/snort.org/snort-sigs/03/08/1120.html alert tcp any any -> any 21 (msg:"ET SCAN Grim's Ping ftp scanning tool"; flow:to_server,established; content:"PASS "; content:"gpuser@home.com"; within:18; reference:url,archives.neohapsis.com/archives/snort/2002-04/0448.html; reference:url,grimsping.cjb.net; classtype:network-scan; reference:url,doc.emergingthreats.net/2007802; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Grims_FTP; sid:2007802; rev:4;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Halberd Load Balanced Webserver Detection Scan"; content:"Pragma\: no-cache"; content:"Firefox/1.0.3"; offset:40; distance:40; flow:to_server,established; threshold: type threshold, track by_src, count 40, seconds 15; classtype:attempted-recon; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Halberd; sid:2008536; rev:3;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; content:"GET / HTTP/1.0"; content:"User-Agent\: Mozilla"; content:"4.75 [en] (Windows NT 5.0"; offset:20; depth:60; flow:to_server,established; classtype:attempted-recon; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Hmap; sid:2008537; rev:3;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Httprecon Web Server Fingerprint Scan"; flow:to_server,established; content:"GET /etc/passwd?format="; content:">