File: web-attack.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (110 lines) | stat: -rw-r--r-- 31,839 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# Sagan web-attack.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# 
# These are used to identify web attacks from Apache,  IIS and other "access" logs. 

# Added by Robert Nunley (rnunley@quadantsec.com)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Havij SQL Injection Tool Identified"; content: "0x31303235343830303536"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001699; sid: 5001699; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] UNION ALL SELECT in URL - Possible SQL Injection"; content: "0%27%20union%20all%20select%20"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1;  reference: url,wiki.quadrantsec.com/bin/view/Main/5001700; sid: 5001700; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] SQL Injection Using Encapsulated Data - x=x"; content: "%20and%20%27x%27%3D%27x"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001701; sid: 5001701; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] SQL Injection Using Encapsulated Data - 1=1"; content: "%20and%20%271%27%3D%271"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001702; sid: 5001702; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] SQL Injection Using Hex Encoding"; content: "concat"; content: "unhex"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001703; sid: 5001703; rev:2;)

# Added by Robert Nunley (Nov272013)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Absinthe SQL Injection Tool HTTP Header Detected"; content:"User-Agent"; content: "Absinthe"; parse_src_ip: 1; parse_dst_ip: 2; nocase; reference:url,0x90.org/releases/absinthe; reference:url,doc.emergingthreats.net/2009555; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001864; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] bsqlbf Brute Force SQL Injection"; content:"User-Agent"; content: "bsqlbf"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,code.google.com/p/bsqlbf-v2/; reference:url,doc.emergingthreats.net/2008362; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-activity; sid:5001792; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Cisco Torch IOS HTTP Scan"; content:"User-Agent"; content: "Cisco-torch"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008415; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001793; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Core-Project Scanning Bot UA Detected";  content:"User-Agent"; content: "core-project/1.0"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-activity; sid:5001794; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] crimscanner User-Agent detected"; content:"GET"; nocase; content:"User-Agent"; content: "crimscanner"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010954; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:network-scan; sid:5001795; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] DavTest WebDav Vulnerability Scanner Default User Agent Detected"; content:"User-Agent"; content: "DAV.pm"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011089; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001796; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] DirBuster Web App Scan in Progress"; content:"User-Agent"; content: "DirBuster"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,owasp.org; reference:url,doc.emergingthreats.net/2008186; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001797; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Possible Fast-Track Tool Spidering User-Agent Detected"; content:"User-Agent"; content: "pymills-spider"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes; reference:url,doc.emergingthreats.net/2011721; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001798; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Suspicious User-Agent - get-minimal - Possible Vuln Scan"; content:"User-Agent"; content: "get-minimal"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2003634; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5001799; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Grabber.py Web Scan Detected"; content:"User-Agent"; content: "Grabber"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,rgaucher.info/beta/grabber/; reference:url,doc.emergingthreats.net/2009483; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001800; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Grendel Web Scan - Default User Agent Detected [0/5]"; content:"User-Agent"; content: "Mozilla/5.0"; content: "Grendel-Scan"; nocase; content:"http://www.grendel-scan.com"; nocase; threshold: type threshold, track by_dst, count 50, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009480; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001801; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Grendel Web Scan - Default User Agent Detected"; content:"User-Agent"; content: "Mozilla/5.0"; content: "Grendel-Scan"; nocase; content:"http://www.grendel-scan.com"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009480; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001863; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Hmap Webserver Fingerprint Scan"; content:"GET"; nocase; content:"HTTP/1.0";  content: "User-Agent"; content: "Mozilla"; content: "4.75 [en] |28|Windows NT 5.0"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001802; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Mini MySqlatOr SQL Injection Scanner"; content:"User-Agent"; content: "prog.CustomCrawler"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.scrt.ch/pages_en/minimysqlator.html; reference:url,doc.emergingthreats.net/2008729; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001803; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Default Mysqloit User Agent Detected - Mysql Injection Takover Tool"; content: "User-Agent"; content: "Mysqloit"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,code.google.com/p/mysqloit/; reference:url,doc.emergingthreats.net/2009882; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001804; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected - Nmap NSE"; content: "User-Agent"; content: "Nmap NSE"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2009359; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001805; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected - Nmap Scripting Engine"; content: "User-Agent"; content: "Mozilla/5.0"; content: "Nmap Scripting Engine"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2009358; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001806; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nessus User Agent"; content:"User-Agent"; nocase; content:"Nessus"; nocase; threshold: type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001807; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nessus User Agent"; content: "User-Agent"; nocase; content: "Nessus"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001865; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Netsparker Default User-Agent"; content: "User-Agent"; content: " Netsparker"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.mavitunasecurity.com/communityedition/; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001808; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nikto Web App Scan in Progress"; content:"User-Agent"; content: "Mozilla/4.75 (Nikto"; threshold: type both, count 5, seconds 60, track by_src; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001809; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nikto Web App Scan in Progress"; content: "User-Agent"; content: "Nikto"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001866; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Paros Proxy Scanner Detected"; content: "User-Agent"; content: "Paros"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.parosproxy.org; reference:url,doc.emergingthreats.net/2008187; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001810; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] SQL Injection Attempt (Agent uil2pn)"; content: "User-Agent"; content: "uil2pn"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html; reference:url,doc.emergingthreats.net/2010215; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001811; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] SQL Power Injector SQL Injection User Agent Detected"; content: "User-Agent"; content: "SQL Power Injector"; content:"Security tool (Make sure it is used with the administrator consent)"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.sqlpowerinjector.com/index.htm; reference:url,en.wikipedia.org/wiki/Sql_injection; reference:url,doc.emergingthreats.net/2009769; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001812; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Sqlmap SQL Injection Scan"; content: "User-Agent"; content: "sqlmap"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,sqlmap.sourceforge.net; reference:url,doc.emergingthreats.net/2008538; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001813; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Skipfish Web Application Scan Detected"; content: "User-Agent"; content: "Mozilla/5.0 SF"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010953; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001814; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Skipfish Web Application Scan Detected (2)"; content: "GET"; content: ".old"; content: "User-Agent"; content: "Mozilla/5.0 SF/"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010956; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001815; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Springenwerk XSS Scanner User-Agent Detected"; content:"User-Agent"; content: "Springenwerk"; nocase; reference:url,springenwerk.org/; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010508; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001816; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Suspicious User-Agent inbound (bot)"; content: "User-Agent"; content: "bot/"; nocase; threshold: type limit, count 3, seconds 300, track by_src; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/bin/view/Main/2008228; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid:5001817; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Toata Scanner User-Agent Detected"; content: "User-Agent"; content: "Toata dragostea"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/2009159; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001818; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Tomcat Web Application Manager scanning"; content: "GET"; nocase; content: "/manager/html"; nocase; content: "User-Agent"; content: "Mozilla/3.0"; content: "Indy Library)"; content: "Authorization"; content: "Basic"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010019; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001819; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Suspicious User-Agent Containing SQL Inject/ion, Likely SQL Injection Scanner"; content: "User-Agent"; content: "SQL"; nocase; content: "Inject"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2010087; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001820; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Suspicious User-Agent Containing Web Scan/er, Likely Web Scanner"; content: "User-Agent"; content: "web"; nocase; content:"scan"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010088; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001821; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Suspicious User-Agent Containing Security Scan/ner, Likely Scan"; content: "User-Agent"; content: "security"; nocase; content:"scan"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010089; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001822; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] w3af User Agent"; content: "User-Agent"; content: "w3af.sourceforge.net"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001823; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] WSFuzzer Web Application Fuzzing"; content: "/ServiceDefinition"; content: "User-Agent"; content: "Python-urllib"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.owasp.org/index.php/Category%3aOWASP_WSFuzzer_Project; reference:url,doc.emergingthreats.net/2008628; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001824; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Wapiti Web Server Vulnerability Scan"; content: "GET"; content: "?http"; content: "//www.google."; nocase; content: "User-Agent"; content: "Python-httplib2"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,wapiti.sourceforge.net/; reference:url,doc.emergingthreats.net/2008417; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001825; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] WebHack Control Center User-Agent Inbound (WHCC/)"; content: "User-Agent"; content: "WHCC"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start=; reference:url,doc.emergingthreats.net/2003924; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid:5001826; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Open-Proxy ScannerBot (webcollage-UA) "; content:"User-Agent"; content: "webcollage/1.135a"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url, stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; reference:url,doc.emergingthreats.net/2010768; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:bad-unknown; sid:5001827; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] WebShag Web Application Scan Detected"; content: "User-Agent"; content: "webshag"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.scrt.ch/pages_en/outils.html; reference:url,doc.emergingthreats.net/2009158; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001828; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected"; content: "User-Agent"; content: "WhatWeb"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.morningstarsecurity.com/research/whatweb; reference:url,doc.emergingthreats.net/2010960; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001829; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] WITOOL SQL Injection Scan"; content: "union+select"; content: "select+user"; content: "User-Agent"; content: "Mozilla/4.0 (compatible"; content: "MSIE 6.0"; content: "Windows NT 5.0"; content: "MyIE2"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,witool.sourceforge.net/; reference:url,doc.emergingthreats.net/2009833; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001830; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] ZmEu exploit scanner"; content: "User-Agent"; content: "Made by ZmEu"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010715; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001831; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Possible jBroFuzz Fuzzer Detected"; content: "Host"; content: "localhost"; content:"User-Agent"; content: "Mozilla/5.0 (Windows"; content: "Windows NT 5.1"; content: "en-GB"; content: "Gecko/20061204 Firefox/2.0.0.1"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.owasp.org/index.php/Category%3aOWASP_JBroFuzz; reference:url,doc.emergingthreats.net/2009476; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001832; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Hydra User-Agent"; content: "User-Agent"; content: "Mozilla/4.0 (Hydra)"; nocase; threshold: type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,freeworld.thc.org/thc-hydra; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001833; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Inspathx Path Disclosure Scanner User-Agent Detected"; content: "User-Agent"; content: "inspath [path disclosure finder"; threshold:type limit, count 1, seconds 30, track by_src; parse_src_ip: 1; parse_dst_ip: 2; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001834; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Medusa User-Agent"; content: "User-Agent"; content: "Teh Forest Lobster"; nocase; threshold: type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.foofus.net/~jmk/medusa/medusa.html; xbits: set, recon, 86400;default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001835; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] DotDotPwn User-Agent"; content: "User-Agent"; content: "DotDotPwn"; nocase; threshold:type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,dotdotpwn.sectester.net; xbits: set, recon, 86400;default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001836; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Havij SQL Injection Tool User-Agent Inbound"; content: "User-Agent"; content: " Havij"; content: "Connection: "; parse_src_ip: 1; parse_dst_ip: 2; reference:url,itsecteam.com/en/projects/project1.htm; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001838; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] OpenVAS User-Agent Inbound"; content: "User-Agent"; content: "OpenVAS"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,openvas.org; xbits: set, recon, 86400;default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001839; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] ZmEu Scanner User-Agent Inbound"; content: "User-Agent"; content: "ZmEu"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid:5001840; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Internal Dummy Connection User-Agent Inbound"; content: "User-Agent"; content:"(internal dummy connection)"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid:5001841; rev:2;)
alert any any any -> $HOME_NET any (msg: "[WEB-ATTACKS] DominoHunter Security Scan in Progress"; content: "User-Agent"; content: "DominoHunter"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001842; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Vega Web Application Scan"; content: !"Vegas"; content: "Vega"; content: "User-Agent"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001843; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] FHScan core User-Agent Detect"; content: "FHScan Core "; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001844; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] w3af User-Agent 2"; content: "User-Agent"; content:"w3af.sf.net"; parse_src_ip: 1; parse_dst_ip: 2; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001845; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] RFI Attempt"; content: "index.php?cmd="; content: "page="; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid:5002736; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Possible LFI Attempt"; content:"index.php?system=" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002737; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access Default WordPress Login Page"; content:"/wp-login.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002738; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access a Webshell via WordPress"; content:"/wp-login.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002739; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access Default Cacti Login Page"; content:"/include/config.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002740; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access PHPMyAdmin Changelog Page"; content:"/changelog.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002741; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access robots.txt File"; content:"robots.txt" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002742; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Possible SQL Injection"; content:"|3b|--" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002743; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access Default Drupal DB Config File"; content:"/sites/default/settings.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002744; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access Default Joomla Page"; content:"/configuration.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002745; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access PHP Timeclock Page"; content:"/db.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002746; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access default DeV!L`s ClanPortal Page"; content:"/inc/mysql.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002747; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access IISamples Page"; content:"/iisamples" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002748; rev:2;)