title: Hack Tool User Agent id: c42a3073-30fb-48ae-8c99-c23ada84b103 status: experimental description: Detects suspicious user agent strings user by hack tools in proxy logs author: Florian Roth date: 2017/07/08 modified: 2020/09/03 references: - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules logsource: category: proxy detection: selection: c-useragent: # Vulnerbility scanner and brute force tools - '*(hydra)*' - '* arachni/*' - '* BFAC *' - '* brutus *' - '* cgichk *' - '*core-project/1.0*' - '* crimscanner/*' - '*datacha0s*' - '*dirbuster*' - '*domino hunter*' - '*dotdotpwn*' - 'FHScan Core' - '*floodgate*' - '*get-minimal*' - '*gootkit auto-rooter scanner*' - '*grendel-scan*' - '* inspath *' - '*internet ninja*' - '*jaascois*' - '* zmeu *' - '*masscan*' - '* metis *' - '*morfeus fucking scanner*' - '*n-stealth*' - '*nsauditor*' - '*pmafind*' - '*security scan*' - '*springenwerk*' - '*teh forest lobster*' - '*toata dragostea*' - '* vega/*' - '*voideye*' - '*webshag*' - '*webvulnscan*' - '* whcc/*' # SQL Injection - '* Havij' - '*absinthe*' - '*bsqlbf*' - '*mysqloit*' - '*pangolin*' - '*sql power injector*' - '*sqlmap*' - '*sqlninja*' - '*uil2pn*' # Hack tool - 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/ - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper condition: selection fields: - ClientIP - c-uri - c-useragent falsepositives: - Unknown level: high tags: - attack.initial_access - attack.t1190 - attack.credential_access - attack.t1110