2017-07-08 15:59:05 +00:00
|
|
|
title: Hack Tool User Agent
|
|
|
|
status: experimental
|
|
|
|
description: Detects suspicious user agent strings user by hack tools in proxy logs
|
2018-01-27 23:12:19 +00:00
|
|
|
references:
|
2017-07-08 15:59:05 +00:00
|
|
|
- https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
|
|
|
|
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
|
|
|
|
author: Florian Roth
|
|
|
|
logsource:
|
2017-09-10 22:35:52 +00:00
|
|
|
category: proxy
|
2017-07-08 15:59:05 +00:00
|
|
|
detection:
|
|
|
|
selection:
|
|
|
|
UserAgent:
|
|
|
|
# Vulnerbility scanner and brute force tools
|
|
|
|
- '*(hydra)*'
|
|
|
|
- '* arachni/*'
|
|
|
|
- '* BFAC *'
|
|
|
|
- '* brutus *'
|
|
|
|
- '* cgichk *'
|
|
|
|
- '*core-project/1.0*'
|
|
|
|
- '* crimscanner/*'
|
|
|
|
- '*datacha0s*'
|
|
|
|
- '*dirbuster*'
|
|
|
|
- '*domino hunter*'
|
|
|
|
- '*dotdotpwn*'
|
|
|
|
- 'FHScan Core'
|
|
|
|
- '*floodgate*'
|
|
|
|
- '*get-minimal*'
|
|
|
|
- '*gootkit auto-rooter scanner*'
|
|
|
|
- '*grendel-scan*'
|
|
|
|
- '* inspath *'
|
|
|
|
- '*internet ninja*'
|
|
|
|
- '*jaascois*'
|
|
|
|
- '* zmeu *'
|
|
|
|
- '*masscan*'
|
|
|
|
- '* metis *'
|
|
|
|
- '*morfeus fucking scanner*'
|
|
|
|
- '*n-stealth*'
|
|
|
|
- '*nsauditor*'
|
|
|
|
- '*pmafind*'
|
|
|
|
- '*security scan*'
|
|
|
|
- '*springenwerk*'
|
|
|
|
- '*teh forest lobster*'
|
|
|
|
- '*toata dragostea*'
|
|
|
|
- '* vega/*'
|
|
|
|
- '*voideye*'
|
|
|
|
- '*webshag*'
|
|
|
|
- '*webvulnscan*'
|
|
|
|
- '* whcc/*'
|
|
|
|
|
|
|
|
# SQL Injection
|
|
|
|
- '* Havij'
|
|
|
|
- '*absinthe*'
|
|
|
|
- '*bsqlbf*'
|
|
|
|
- '*mysqloit*'
|
|
|
|
- '*pangolin*'
|
|
|
|
- '*sql power injector*'
|
|
|
|
- '*sqlmap*'
|
|
|
|
- '*sqlninja*'
|
|
|
|
- '*uil2pn*'
|
2017-07-22 15:24:45 +00:00
|
|
|
|
|
|
|
# Hack tool
|
|
|
|
- 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
|
2017-07-08 15:59:05 +00:00
|
|
|
condition: selection
|
2017-09-12 21:54:04 +00:00
|
|
|
fields:
|
|
|
|
- ClientIP
|
|
|
|
- URL
|
|
|
|
- UserAgent
|
2017-07-08 15:59:05 +00:00
|
|
|
falsepositives:
|
|
|
|
- Unknown
|
|
|
|
level: high
|