title: Hack Tool User Agent id: c42a3073-30fb-48ae-8c99-c23ada84b103 status: experimental description: Detects suspicious user agent strings user by hack tools in proxy logs author: Florian Roth date: 2017/07/08 modified: 2020/09/03 references: - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules logsource: category: proxy detection: selection: c-useragent|contains: # Vulnerbility scanner and brute force tools - '(hydra)' - ' arachni/' - ' BFAC ' - ' brutus ' - ' cgichk ' - 'core-project/1.0' - ' crimscanner/' - 'datacha0s' - 'dirbuster' - 'domino hunter' - 'dotdotpwn' - 'FHScan Core' - 'floodgate' - 'get-minimal' - 'gootkit auto-rooter scanner' - 'grendel-scan' - ' inspath ' - 'internet ninja' - 'jaascois' - ' zmeu ' - 'masscan' - ' metis ' - 'morfeus fucking scanner' - 'n-stealth' - 'nsauditor' - 'pmafind' - 'security scan' - 'springenwerk' - 'teh forest lobster' - 'toata dragostea' - ' vega/' - 'voideye' - 'webshag' - 'webvulnscan' - ' whcc/' # SQL Injection - ' Havij' - 'absinthe' - 'bsqlbf' - 'mysqloit' - 'pangolin' - 'sql power injector' - 'sqlmap' - 'sqlninja' - 'uil2pn' # Hack tool - 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/ - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper condition: selection fields: - ClientIP - c-uri - c-useragent falsepositives: - Unknown level: high tags: - attack.initial_access - attack.t1190 - attack.credential_access - attack.t1110