alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN libwww-perl GET to // with specific HTTP header ordering without libwww-perl User-Agent"; flow:established,to_server; content:"GET //"; fast_pattern; depth:6; content:"HTTP/1.1|0d 0a|TE|3a| deflate,gzip|3b|q=0.3|0d 0a|Connection|3a| TE, close|0d 0a|Host|3a| "; content:"User-Agent|3a| "; within:100; content:!"libwww-perl/"; http_header; pcre:"/^TE\x3a deflate,gzip\x3bq=0\.3\r\nHost\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n$/H"; threshold:type threshold, track by_dst, count 10,seconds 20; classtype:attempted-recon; sid:2013416; rev:6;)

Added 2012-04-23 23:04:28 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN libwww-perl GET to // with specific HTTP header ordering without libwww-perl User-Agent"; flow:established,to_server; content:"GET //"; fast_pattern; depth:6; content:"HTTP/1.1|0d 0a|TE|3a| deflate,gzip|3b|q=0.3|0d 0a|Connection|3a| TE, close|0d 0a|Host|3a| "; content:"User-Agent|3a| "; within:100; content:!"libwww-perl/"; http_header; pcre:"/\s\/HTTP\/1\.1\r\nTE\x3a deflate,gzip\x3bq=0\.3\r\nHost\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n\r\n/m"; threshold:type threshold, track by_dst, count 10,seconds 20; classtype:attempted-recon; sid:2013416; rev:5;)

Added 2011-10-12 19:36:48 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN libwww-perl GET to // with specific HTTP header ordering without libwww-perl User-Agent"; flow:established,to_server; content:"GET //"; fast_pattern; depth:6; content:"HTTP/1.1|0d 0a|TE|3a| deflate,gzip|3b|q=0.3|0d 0a|Connection|3a| TE, close|0d 0a|Host|3a| "; content:"User-Agent|3a| "; within:100; content:!"libwww-perl/"; http_header; pcre:"/\s\/HTTP\/1\.1\r\nTE\x3a deflate,gzip\x3bq=0\.3\r\nHost\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n\r\n/m"; classtype:attempted-recon; threshold:type threshold, track by_dst, count 10,seconds 20; sid:2013416; rev:4;)

Added 2011-08-16 21:06:24 UTC


Topic revision: r1 - 2012-04-24 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats