github.com/spg/deis@v1.7.3/router/firewall/scanner.rules (about) 1 2 ########################################################################## 3 # 4 # doxi_rulesets - rules fo nginx+naxsi 5 # desc : SCAN 6 # file : scanner.rules 7 # created : 2014-09-28 - 12:29 8 # by : nginx-goodies 9 # download : https://bitbucket.org/lazy_dogtown/doxi-rules 10 # 11 ########################################################################### 12 13 # 14 # sid: 42000395 | date: 2014-09-25 - 17:03 15 # 16 # https://gist.github.com/anonymous/929d622f3b36b00c0be1 17 # https://www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/1411634118/ 18 # 19 MainRule "str:thanks-rob" "msg:Bash0day - Scan-Attempt" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000395 ; 20 21 22 # 23 # sid: 42000394 | date: 2014-09-25 - 10:27 24 # 25 # http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html 26 # 27 MainRule "str:shellshock-scan" "msg:Shellshock-Masscan by Erratasec" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000394 ; 28 29 30 # 31 # sid: 42000390 | date: 2014-09-23 - 20:50 32 # 33 # https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play 34 # 35 MainRule "str:/gatedesc.xml" "msg:UPNP-Scan" "mz:URL" "s:$UWA:8" id:42000390 ; 36 37 38 # 39 # sid: 42000389 | date: 2014-09-23 - 20:49 40 # 41 # http://en.wikipedia.org/wiki/Proxy_auto-config 42 # 43 MainRule "str:wpad.dat" "msg:Open Proxy-Autoconfig-Scan" "mz:URL" "s:$UWA:8" id:42000389 ; 44 45 46 # 47 # sid: 42000388 | date: 2014-09-23 - 20:49 48 # 49 # http://en.wikipedia.org/wiki/Proxy_auto-config 50 # https://isc.sans.edu/forums/diary/Web+Scan+looking+for+infowhitelistpac/18675 51 # 52 MainRule "str:proxy.pac" "msg:Open Proxy-Autoconfig-Scan" "mz:URL" "s:$UWA:8" id:42000388 ; 53 54 55 # 56 # sid: 42000387 | date: 2014-09-23 - 20:49 57 # 58 # https://isc.sans.edu/forums/diary/Web+Scan+looking+for+infowhitelistpac/18675 59 # 60 MainRule "str:/whitelist.pac" "msg:Open Proxy-Autoconfig-Scan" "mz:URL" "s:$UWA:8" id:42000387 ; 61 62 63 # 64 # sid: 42000366 | date: 2014-04-24 - 09:57 65 # 66 # 67 # 68 MainRule "str:openvas" "msg:OpenVAS - Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000366 ; 69 70 71 # 72 # sid: 42000365 | date: 2014-04-24 - 09:54 73 # 74 # 75 # 76 MainRule "str:sitelock" "msg:SiteLock Vulnerability Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000365 ; 77 78 79 # 80 # sid: 42000364 | date: 2014-04-24 - 09:54 81 # 82 # 83 # 84 MainRule "str:sucuri" "msg:Sucuri Vulnerability Scaner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000364 ; 85 86 87 # 88 # sid: 42000363 | date: 2014-04-24 - 09:52 89 # 90 # http://www.botopedia.org/index.php?option=com_k2&view=item&id=350:scanalert-bot 91 # 92 MainRule "str:scanalert" "msg:ScanAlert Vulnerability Scaner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000363 ; 93 94 95 # 96 # sid: 42000362 | date: 2014-04-24 - 09:46 97 # 98 # 99 # 100 MainRule "str:.bash" "msg:Bash-Profile et al Scan" "mz:URL" "s:$UWA:8" id:42000362 ; 101 102 103 # 104 # sid: 42000361 | date: 2014-04-19 - 17:19 105 # 106 # 107 # 108 MainRule "str:java/" "msg:JAVA-UA, possible Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000361 ; 109 110 111 # 112 # sid: 42000339 | date: 2014-04-07 - 16:28 113 # 114 # 115 # 116 MainRule "str:/wp-content/themes/" "msg:WP-Content Themes-Scan" "mz:URL" "s:$UWA:8" id:42000339 ; 117 118 119 # 120 # sid: 42000338 | date: 2013-12-03 - 00:06 121 # 122 # http://www.reddit.com/r/netsec/comments/1rrftk/optimizepress_wordpress_theme_0day_found_actively/ 123 # http://www.osirt.com/2013/11/wordpress-optimizepress-hack-file-upload-vulnerability/ 124 # 125 MainRule "str:/wp-content/uploads/optpress/" "msg:WP-OptimizePress - Scan" "mz:URL" "s:$UWA:8" id:42000338 ; 126 127 128 # 129 # sid: 42000336 | date: 2013-11-27 - 22:19 130 # 131 # http://www.exploit-db.com/exploits/29859/ 132 # 133 MainRule "str:/login.rol" "msg:Apache Roller-Scan" "mz:URL" "s:$UWA:8" id:42000336 ; 134 135 136 # 137 # sid: 42000328 | date: 2013-10-21 - 09:05 138 # 139 # 140 # 141 MainRule "str:/ip_checkhost.cgi" "msg:GestioIP Remote Code Execution - Scan" "mz:URL" "s:$UWA:8" id:42000328 ; 142 143 144 # 145 # sid: 42000326 | date: 2014-03-19 - 01:52 146 # 147 # https://github.com/robertdavidgraham/masscan 148 # http://blog.erratasec.com/search/label/masscan 149 # http://blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html 150 # 151 MainRule "str:masscan/" "msg:MASSCAN - UA Detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000326 ; 152 153 154 # 155 # sid: 42000323 | date: 2013-10-12 - 00:21 156 # 157 # http://www.vbulletin.org/forum/showthread.php?p=2443431 158 # 159 MainRule "str:/core/install/" "msg:vBulletinBoard-Scan " "mz:URL" "s:$UWA:8" id:42000323 ; 160 161 162 # 163 # sid: 42000319 | date: 2013-10-04 - 21:26 164 # 165 # http://localhost.re/p/whmcs-527-vulnerability 166 # 167 MainRule "str:/register.php" "msg:Possible WHMCS - Scan" "mz:URL" "s:$UWA:8" id:42000319 ; 168 169 170 # 171 # sid: 42000317 | date: 2013-09-27 - 16:11 172 # 173 # http://pastebin.com/NP64hTQr 174 # http://blog.initiative-s.de/2013/09/kompromitierte-wordpress-blogs-werden-fuer-ddos-attacken-genutzt/ 175 # 176 MainRule "str:wordpress/" "msg:Wordpress-UA, probably Botnet-Attack" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000317 ; 177 178 179 # 180 # sid: 42000316 | date: 2013-09-20 - 21:07 181 # 182 # http://isc.sans.edu/diary/Arrays+in+requests%2C+PHP+and+DedeCMS/16625 183 # 184 MainRule "str:winhttprequest" "msg:WinHttpRequest - UA" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000316 ; 185 186 187 188 # 189 # sid: 42000312 | date: 2013-09-04 - 20:44 190 # 191 # 192 # 193 MainRule "str:havij" "msg:Havij-SQL_scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000312 ; 194 195 196 # 197 # sid: 42000311 | date: 2013-09-04 - 20:41 198 # 199 # http://superuser.com/questions/146133/what-is-apache-synapse 200 # 201 MainRule "str:synapse" "msg:poss. malicious Scanner using Fake UA Apache/Synapse" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000311 ; 202 203 204 # 205 # sid: 42000310 | date: 2013-08-23 - 21:56 206 # 207 # et: from the list aug 23 2013 208 # 209 MainRule "str:http://http://" "msg:Abnormal double http:// in HTTP header," "mz:HEADERS" "s:$UWA:8" id:42000310 ; 210 211 212 # 213 # sid: 42000309 | date: 2013-08-22 - 15:46 214 # 215 # 216 # 217 MainRule "rx:^/http" "msg:Misformed Proxy-Scan" "mz:URL" "s:$UWA:8" id:42000309 ; 218 219 220 # 221 # sid: 42000307 | date: 2013-08-13 - 23:30 222 # 223 # inspired by http://ceriksen.com/2013/01/12/wordpress-floating-social-media-link-plugins-remote-file-inclusion/ 224 # 225 MainRule "str:/wp-content/plugins/" "msg:WP-Contents/Plugins Access" "mz:URL" "s:$UWA:8" id:42000307 ; 226 227 228 # 229 # sid: 42000306 | date: 2013-08-11 - 10:37 230 # 231 # http://stateofsecurity.com/?p=467 232 # 233 MainRule "str:/soapcaller.bs" "msg:Morfeus - F*cking-Scanner " "mz:URL" "s:$UWA:8" id:42000306 ; 234 235 236 # 237 # sid: 42000305 | date: 2013-08-09 - 09:03 238 # 239 # http://www.sourcesec.com/Lab/dlink_hnap_captcha.pdf 240 # 241 MainRule "str:/hnap1/" "msg:Possible HNAP-Exploit-Attempt" "mz:URL" "s:$UWA:8" id:42000305 ; 242 243 244 # 245 # sid: 42000304 | date: 2013-08-05 - 15:33 246 # 247 # http://www.botsvsbrowsers.com/details/515320/index.html 248 # http://www.spambotsecurity.com/forum/viewtopic.php?f=9&t=814 249 # 250 MainRule "str:windows-live-social-object-extractor-engine" "msg:Spambot Windows-Live-Social-Object-Extractor-Engine" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000304 ; 251 252 253 # 254 # sid: 42000300 | date: 2013-08-04 - 22:38 255 # 256 # 257 # 258 MainRule "str:exec%20master%2e%2esp%5fconfigure" "msg:SQLNinja Attempt To Recreate xp_cmdshell Using sp_configure" "mz:URL|BODY|ARGS" "s:$UWA:8" id:42000300 ; 259 260 261 # 262 # sid: 42000273 | date: 2013-07-12 - 13:05 263 # 264 # et: https://lists.emergingthreats.net/pipermail/emerging-sigs/2013-July/022356.html 265 # 266 MainRule "str:/arachni" "msg:Arachni Web Scan (URL)" "mz:URL" "s:$ATTACK:8" id:42000273 ; 267 268 269 # 270 # sid: 42000272 | date: 2013-07-12 - 12:55 271 # 272 # et: 2014869 273 # 274 MainRule "str:arachni" "msg:Arachni Scanner Web Scan (UA)" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000272 ; 275 276 277 # 278 # sid: 42000266 | date: 2013-06-10 - 13:50 279 # 280 # 281 # 282 MainRule "str:.idea/workspace.xml" "msg:IDE - workspace.xml - Scan" "mz:URL" "s:$UWA:8" id:42000266 ; 283 284 285 # 286 # sid: 42000258 | date: 2013-02-23 - 11:25 287 # 288 # et 2015703 289 # 290 MainRule "str:brutus/" "msg:Brutus - Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000258 ; 291 292 293 # 294 # sid: 42000256 | date: 2013-02-23 - 11:11 295 # 296 # et 2002667 297 # 298 MainRule "str:/sumthin" "msg:Sumthin Scan" "mz:URL" "s:$UWA:8" id:42000256 ; 299 300 301 # 302 # sid: 42000255 | date: 2013-02-23 - 11:10 303 # 304 # et 2010720 305 # 306 MainRule "str:/thisdoesnotexist" "msg:PHP Scan Precursor" "mz:URL" "s:$ATTACK:8" id:42000255 ; 307 308 309 # 310 # sid: 42000251 | date: 2013-02-23 - 11:02 311 # 312 # et: 2009029 313 # 314 MainRule "str:nv32ts" "msg:SQL-Injection-Scanner NV32ts" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000251 ; 315 316 317 # 318 # sid: 42000249 | date: 2013-02-23 - 10:31 319 # 320 # et 2003616 321 # 322 MainRule "str:datacha0s" "msg:Webserver-Scanner DataCha0s" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000249 ; 323 324 325 # 326 # sid: 42000248 | date: 2013-02-23 - 10:26 327 # 328 # et: 2011174 329 # 330 MainRule "str:czxt2s" "msg:SQL-Injection Scanner CZxt2s" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000248 ; 331 332 333 334 335 # 336 # sid: 42000241 | date: 2013-02-08 - 12:21 337 # 338 # 339 # 340 MainRule "str:/mysqldumper " "msg:MysqlDumper - Scanner " "mz:URL" "s:$UWA:8" id:42000241 ; 341 342 343 # 344 # sid: 42000240 | date: 2013-01-27 - 16:24 345 # 346 # 347 # 348 MainRule "str:apachebench" "msg:AB - ApacheBenchmark-Tool detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:4" id:42000240 ; 349 350 351 # 352 # sid: 42000238 | date: 2013-01-19 - 17:56 353 # 354 # 355 # 356 MainRule "str:sqlspider" "msg:NMAP SQLSpider-Scan" "mz:URL|ARGS|$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000238 ; 357 358 359 # 360 # sid: 42000227 | date: 2013-01-03 - 20:32 361 # 362 # 363 # 364 MainRule "str:zmeu" "msg:Scanner ZmEu exploit scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000227 ; 365 366 367 # 368 # sid: 42000226 | date: 2013-01-03 - 20:32 369 # 370 # 371 # 372 MainRule "str:mozilla/4.0 (compatible; msie 6.0; windows nt 5.0; myie2" "msg:Scanner WITOOL SQL Injection Scan" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000226 ; 373 374 375 # 376 # sid: 42000225 | date: 2013-01-03 - 20:30 377 # 378 # 379 # 380 MainRule "str:/actsensepostnottherenonotive" "msg:Wikto Backend Data Miner Scan" "mz:URL" "s:$UWA:8" id:42000225 ; 381 382 383 # 384 # sid: 42000224 | date: 2013-01-03 - 20:30 385 # 386 # 387 # 388 MainRule "str:/.adsensepostnottherenonobook" "msg:Scanner Wikto Scan" "mz:URL" "s:$UWA:8" id:42000224 ; 389 390 391 # 392 # sid: 42000223 | date: 2013-01-03 - 20:29 393 # 394 # 395 # 396 MainRule "str:webshag" "msg:Scanner WebShag Web Application Scan" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000223 ; 397 398 399 # 400 # sid: 42000222 | date: 2013-01-03 - 20:29 401 # 402 # 403 # 404 MainRule "str:webcollage" "msg:Open-Proxy ScannerBot (webcollage-UA) " "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000222 ; 405 406 407 # 408 # sid: 42000221 | date: 2013-01-03 - 20:28 409 # 410 # 411 # 412 MainRule "str:python-httplib" "msg:Scanner Python-httplib" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:4" id:42000221 ; 413 414 415 # 416 # sid: 42000220 | date: 2013-01-03 - 20:28 417 # 418 # 419 # 420 MainRule "str:whcc/" "msg:Scanner WebHack Control Center" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000220 ; 421 422 423 # 424 # sid: 42000218 | date: 2013-01-03 - 20:26 425 # 426 # 427 # 428 MainRule "str:/<invalid>hello.html" "msg:Scanner WafWoof Web Application Firewall Detection Scan" "mz:URL" "s:$UWA:8" id:42000218 ; 429 430 431 # 432 # sid: 42000217 | date: 2013-01-03 - 20:24 433 # 434 # 435 # 436 MainRule "str:/manager/html/upload" "msg:Tomcat upload from external source" "mz:URL" "s:$UWA:8" id:42000217 ; 437 438 439 # 440 # sid: 42000209 | date: 2013-01-03 - 20:00 441 # 442 # 443 # 444 MainRule "str:dragostea" "msg:Scanner Toata Scanner User-Agent Detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000209 ; 445 446 447 # 448 # sid: 42000208 | date: 2013-01-03 - 19:57 449 # 450 # 451 # 452 MainRule "str:sundayddr" "msg:Scanner Sipvicious" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000208 ; 453 454 455 # 456 # sid: 42000207 | date: 2013-01-03 - 19:56 457 # 458 # 459 # 460 MainRule "str:friendly-scanner" "msg:Scanner Sipvicious User-Agent Detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000207 ; 461 462 463 # 464 # sid: 42000206 | date: 2013-01-03 - 19:56 465 # 466 # 467 # 468 MainRule "str:sql power injector" "msg:Scanner SQL Power Injector SQL Injection" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000206 ; 469 470 471 # 472 # sid: 42000205 | date: 2013-01-03 - 19:55 473 # 474 # 475 # 476 MainRule "str:uil2pn" "msg:Scanner SQL Injection Attempt (Agent uil2pn)" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000205 ; 477 478 479 # 480 # sid: 42000204 | date: 2013-01-03 - 19:54 481 # 482 # 483 # 484 MainRule "str:pavuk" "msg:Scanner Pavuk - Website Mirroring Tool for Off-line Analysis" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:4" id:42000204 ; 485 486 487 # 488 # sid: 42000203 | date: 2013-01-03 - 19:53 489 # 490 # 491 # 492 MainRule "str:paros/" "msg:Scanner Paros Proxy Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000203 ; 493 494 495 # 496 # sid: 42000202 | date: 2013-01-03 - 19:34 497 # 498 # 499 # 500 MainRule "str:/netsparker" "msg:Netsparker-Scan in Progress" "mz:URL" "s:$UWA:8" id:42000202 ; 501 502 503 # 504 # sid: 42000201 | date: 2013-01-03 - 19:34 505 # 506 # 507 # 508 MainRule "str:netsparker" "msg:Scanner Netsparker" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000201 ; 509 510 511 # 512 # sid: 42000200 | date: 2013-01-03 - 19:33 513 # 514 # 515 # 516 MainRule "str:mysqloit" "msg:Scanner Mysqloit - Mysql Injection Takover Tool" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000200 ; 517 518 519 # 520 # sid: 42000199 | date: 2013-01-03 - 19:32 521 # 522 # 523 # 524 MainRule "str:prog.customcrawler" "msg:Scanner Mini MySqlatOr SQL Injection" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000199 ; 525 526 527 # 528 # sid: 42000198 | date: 2013-01-03 - 19:31 529 # 530 # 531 # 532 MainRule "str:network-services-auditor" "msg:Scanner IBM NSA User Agent" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000198 ; 533 534 535 # 536 # sid: 42000197 | date: 2013-01-03 - 19:30 537 # 538 # 539 # 540 MainRule "str:/etc/passwd?format=" "msg:Scanner Httprecon Web Server Fingerprint Scan" "mz:URL" "s:$UWA:8" id:42000197 ; 541 542 543 # 544 # sid: 42000196 | date: 2013-01-03 - 19:28 545 # 546 # 547 # 548 MainRule "str:mozilla/5.0 (compatible; grendel-scan" "msg:Scanner Grendel Web Scan" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000196 ; 549 550 551 # 552 # sid: 42000194 | date: 2013-01-03 - 19:26 553 # 554 # 555 # 556 MainRule "str:dav.pm" "msg:Scanner DavTest WebDav Vulnerability Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000194 ; 557 558 559 # 560 # sid: 42000193 | date: 2013-01-03 - 19:18 561 # 562 # 563 # 564 MainRule "str:crimscanner" "msg:Scanner crimscanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000193 ; 565 566 567 # 568 # sid: 42000192 | date: 2013-01-03 - 19:18 569 # 570 # 571 # 572 MainRule "str:cisco-torch" "msg:Scanner Cisco-torch" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000192 ; 573 574 575 # 576 # sid: 42000191 | date: 2013-01-03 - 19:14 577 # 578 # 579 # 580 MainRule "str:bsqlbf" "msg:Scanner bsqlbf Brute Force SQL Injection" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000191 ; 581 582 583 # 584 # sid: 42000190 | date: 2013-01-03 - 19:09 585 # 586 # 587 # 588 MainRule "str:autogetcolumn" "msg:Scanner AutoGetColumn" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000190 ; 589 590 591 # 592 # sid: 42000189 | date: 2013-01-03 - 19:07 593 # 594 # 595 # 596 MainRule "str:/appscan_fingerprint" "msg:Scanner Watchfire AppScan Web App Vulnerability Scanner" "mz:URL" "s:$UWA:8" id:42000189 ; 597 598 599 # 600 # sid: 42000188 | date: 2014-04-24 - 09:41 601 # 602 # 603 # 604 MainRule "str:/acunetix" "msg:Acunetix-Scanner detected" "mz:URL" "s:$UWA:8" id:42000188 ; 605 606 607 # 608 # sid: 42000187 | date: 2013-01-03 - 18:47 609 # 610 # 611 # 612 MainRule "str:absinthe" "msg:Scanner Absinthe" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000187 ; 613 614 615 # 616 # sid: 42000186 | date: 2013-01-03 - 18:04 617 # 618 # 619 # 620 MainRule "str:\." "msg:Scanner / Broken UserAgent " "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000186 ; 621 622 623 # 624 # sid: 42000185 | date: 2013-01-03 - 18:02 625 # 626 # 627 # 628 MainRule "str:t34mh4k" "msg:Scanner t34mh4k" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000185 ; 629 630 631 # 632 # sid: 42000184 | date: 2013-01-03 - 18:01 633 # 634 # 635 # 636 MainRule "str:searchbot admin@google" "msg:Scanner Fake GoogleBot" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000184 ; 637 638 639 # 640 # sid: 42000183 | date: 2013-01-03 - 18:00 641 # 642 # 643 # 644 MainRule "str:neuralbot" "msg:Scanner neuralbot" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000183 ; 645 646 647 # 648 # sid: 42000182 | date: 2013-01-03 - 17:57 649 # 650 # 651 # 652 MainRule "str:gameboy" "msg:Scanner gameboy" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000182 ; 653 654 655 # 656 # sid: 42000181 | date: 2013-01-03 - 17:56 657 # 658 # 659 # 660 MainRule "str:webster pro" "msg:Scanner webster pro" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000181 ; 661 662 663 # 664 # sid: 42000180 | date: 2013-01-03 - 17:56 665 # 666 # 667 # 668 MainRule "str:picscout" "msg:Scanner picscout" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000180 ; 669 670 671 # 672 # sid: 42000179 | date: 2013-01-03 - 17:47 673 # 674 # 675 # 676 MainRule "str:digimarc webreader" "msg:Scanner digimarc webreader" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000179 ; 677 678 679 # 680 # sid: 42000178 | date: 2013-01-03 - 17:45 681 # 682 # 683 # 684 MainRule "str:w3af" "msg:Scanner w3af" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000178 ; 685 686 687 # 688 # sid: 42000177 | date: 2013-01-03 - 17:45 689 # 690 # 691 # 692 MainRule "str:n-stealth" "msg:Scanner n-stealth" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000177 ; 693 694 695 # 696 # sid: 42000176 | date: 2013-01-03 - 17:44 697 # 698 # 699 # 700 MainRule "str:chinaclaw" "msg:Scanner chinaclaw" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000176 ; 701 702 703 # 704 # sid: 42000175 | date: 2013-01-03 - 17:44 705 # 706 # 707 # 708 MainRule "str:wordpress hash grabber" "msg:Scanner wordpress hash grabber" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000175 ; 709 710 711 # 712 # sid: 42000174 | date: 2013-01-03 - 17:43 713 # 714 # 715 # 716 MainRule "str:http_get_vars" "msg:PHP-Injetion on UA" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000174 ; 717 718 719 # 720 # sid: 42000173 | date: 2013-01-03 - 17:43 721 # 722 # 723 # 724 MainRule "str:mozilla/5.0 sf" "msg:Scanner SkipFish" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000173 ; 725 726 727 # 728 # sid: 42000172 | date: 2013-01-03 - 17:41 729 # 730 # 731 # 732 MainRule "str:linux mozilla" "msg:Scanner XSSS (probably)" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000172 ; 733 734 735 # 736 # sid: 42000171 | date: 2013-01-03 - 17:39 737 # 738 # 739 # 740 MainRule "str:whisker" "msg:Scanner whisker" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000171 ; 741 742 743 # 744 # sid: 42000170 | date: 2013-01-03 - 17:37 745 # 746 # 747 # 748 MainRule "str:sqlmap" "msg:Scanner sqlmap" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000170 ; 749 750 751 # 752 # sid: 42000169 | date: 2013-01-03 - 17:36 753 # 754 # 755 # 756 MainRule "str:nmap" "msg:Scanner Nmap" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000169 ; 757 758 759 # 760 # sid: 42000167 | date: 2014-04-24 - 09:42 761 # 762 # http://www.webhostingtalk.com/showthread.php?t=627447 763 # 764 MainRule "str:acunetix" "msg:Scanner Acunetix detected" "mz:$HEADERS_VAR:User-Agent|$HEADERS_VAR:Acunetix-Product" "s:$UWA:8" id:42000167 ; 765 766 767 # 768 # sid: 42000166 | date: 2013-01-03 - 17:30 769 # 770 # 771 # 772 MainRule "str:planetwork" "msg:Scanner planetwork" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000166 ; 773 774 775 # 776 # sid: 42000165 | date: 2013-01-03 - 17:30 777 # 778 # 779 # 780 MainRule "str:kmccrew" "msg:Scanner kmccrew" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000165 ; 781 782 783 # 784 # sid: 42000164 | date: 2013-01-03 - 17:30 785 # 786 # 787 # 788 MainRule "str:casper" "msg:Scanner casper" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000164 ; 789 790 791 # 792 # sid: 42000163 | date: 2013-01-03 - 17:29 793 # 794 # 795 # 796 MainRule "str:twengabot" "msg:Scanner twengabot" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000163 ; 797 798 799 # 800 # sid: 42000162 | date: 2013-01-03 - 17:29 801 # 802 # 803 # 804 MainRule "str:autoemailspider" "msg:Scanner autoemailspider" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000162 ; 805 806 807 # 808 # sid: 42000161 | date: 2013-01-03 - 17:27 809 # 810 # 811 # 812 MainRule "str:siphon" "msg:Scanner siphon" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000161 ; 813 814 815 # 816 # sid: 42000160 | date: 2013-01-03 - 17:26 817 # 818 # 819 # 820 MainRule "str:core-project/" "msg:Scanner core-project" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000160 ; 821 822 823 # 824 # sid: 42000159 | date: 2013-01-03 - 17:25 825 # 826 # 827 # 828 MainRule "str:webmole" "msg:Scanner webmole" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000159 ; 829 830 831 # 832 # sid: 42000158 | date: 2013-01-03 - 17:24 833 # 834 # 835 # 836 MainRule "str:webinspect" "msg:Scanner webinspect" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000158 ; 837 838 839 # 840 # sid: 42000157 | date: 2013-01-03 - 17:24 841 # 842 # 843 # 844 MainRule "str:s.t.a.l.k.e.r" "msg:Scanner s.t.a.l.k.e.r" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000157 ; 845 846 847 # 848 # sid: 42000156 | date: 2013-01-03 - 17:24 849 # 850 # 851 # 852 MainRule "str:safexplorer" "msg:Scanner safexplorer" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000156 ; 853 854 855 # 856 # sid: 42000155 | date: 2013-01-03 - 17:23 857 # 858 # 859 # 860 MainRule "str:poe-component-client" "msg:Scanner poe-component-client" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000155 ; 861 862 863 # 864 # sid: 42000154 | date: 2013-01-03 - 17:23 865 # 866 # 867 # 868 MainRule "str:pmafind" "msg:Scanner pmafind" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000154 ; 869 870 871 # 872 # sid: 42000153 | date: 2013-01-03 - 17:23 873 # 874 # 875 # 876 MainRule "str:n-stealth" "msg:Scanner n-stealth" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000153 ; 877 878 879 # 880 # sid: 42000152 | date: 2013-01-03 - 17:23 881 # 882 # 883 # 884 MainRule "str:nsauditor" "msg:Scanner nsauditor" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000152 ; 885 886 887 # 888 # sid: 42000151 | date: 2013-01-03 - 17:22 889 # 890 # 891 # 892 MainRule "str:whatweb" "msg:Scanner whatweb" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000151 ; 893 894 895 # 896 # sid: 42000150 | date: 2013-01-03 - 17:21 897 # 898 # 899 # 900 MainRule "str:.nasl" "msg:Scanner .nasl" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000150 ; 901 902 903 # 904 # sid: 42000149 | date: 2013-01-03 - 17:21 905 # 906 # 907 # 908 MainRule "str:nameofagent" "msg:Scanner nameofagent" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000149 ; 909 910 911 # 912 # sid: 42000148 | date: 2013-01-03 - 17:21 913 # 914 # 915 # 916 MainRule "str:murzillo" "msg:Scanner murzillo" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000148 ; 917 918 919 # 920 # sid: 42000147 | date: 2013-01-03 - 17:20 921 # 922 # 923 # 924 MainRule "str:mosiac" "msg:Scanner mosiac" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000147 ; 925 926 927 # 928 # sid: 42000146 | date: 2013-01-03 - 17:20 929 # 930 # 931 # 932 MainRule "str:morzilla" "msg:Scanner morzilla" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000146 ; 933 934 935 # 936 # sid: 42000145 | date: 2013-01-03 - 17:19 937 # 938 # 939 # 940 MainRule "str:morfeus" "msg:Scanner morfeus" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000145 ; 941 942 943 # 944 # sid: 42000144 | date: 2013-01-03 - 17:19 945 # 946 # 947 # 948 MainRule "str:jaascois" "msg:Scanner jaascois" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000144 ; 949 950 951 # 952 # sid: 42000143 | date: 2013-01-03 - 17:19 953 # 954 # 955 # 956 MainRule "str:internet-exprorer" "msg:Scanner internet-exprorer" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000143 ; 957 958 959 # 960 # sid: 42000142 | date: 2013-01-03 - 17:13 961 # 962 # 963 # 964 MainRule "str:gameboy" "msg:Scanner gameboy" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000142 ; 965 966 967 # 968 # sid: 42000141 | date: 2013-01-03 - 17:12 969 # 970 # 971 # 972 MainRule "str:fantombrowser" "msg:Scanner fantombrowser" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000141 ; 973 974 975 # 976 # sid: 42000140 | date: 2013-01-03 - 17:12 977 # 978 # 979 # 980 MainRule "str:extractor" "msg:Scanner extractor" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000140 ; 981 982 983 # 984 # sid: 42000139 | date: 2013-01-03 - 17:12 985 # 986 # 987 # 988 MainRule "str:exploit" "msg:Scanner exploit" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000139 ; 989 990 991 # 992 # sid: 42000138 | date: 2013-01-03 - 17:11 993 # 994 # 995 # 996 MainRule "str:datacha0s" "msg:Scanner datacha0s" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000138 ; 997 998 999 # 1000 # sid: 42000137 | date: 2013-01-03 - 17:02 1001 # 1002 # 1003 # 1004 MainRule "str:copyrightcheck" "msg:Scanner copyrightcheck" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000137 ; 1005 1006 1007 # 1008 # sid: 42000136 | date: 2013-01-03 - 17:01 1009 # 1010 # 1011 # 1012 MainRule "str:copyguard" "msg:Scanner copyguard" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000136 ; 1013 1014 1015 # 1016 # sid: 42000135 | date: 2013-01-03 - 17:01 1017 # 1018 # 1019 # 1020 MainRule "str:cherrypicker" "msg:Scanner cherrypickernice" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000135 ; 1021 1022 1023 # 1024 # sid: 42000134 | date: 2013-01-03 - 17:00 1025 # 1026 # 1027 # 1028 MainRule "str:cgichk" "msg:Scanner cgichk" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000134 ; 1029 1030 1031 # 1032 # sid: 42000133 | date: 2013-01-03 - 17:00 1033 # 1034 # 1035 # 1036 MainRule "str:bwh3_user_agent" "msg:Scanner bwh3_user_agent" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000133 ; 1037 1038 1039 # 1040 # sid: 42000132 | date: 2013-01-03 - 17:00 1041 # 1042 # 1043 # 1044 MainRule "str:blackwidow" "msg:Scanner blackwidow" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000132 ; 1045 1046 1047 # 1048 # sid: 42000131 | date: 2013-01-03 - 16:59 1049 # 1050 # 1051 # 1052 MainRule "str:bilbo" "msg:Scanner bilbo" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000131 ; 1053 1054 1055 # 1056 # sid: 42000130 | date: 2013-01-03 - 16:59 1057 # 1058 # 1059 # 1060 MainRule "str:backdoor" "msg:Scanner backdoor" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000130 ; 1061 1062 1063 # 1064 # sid: 42000129 | date: 2013-01-03 - 16:59 1065 # 1066 # 1067 # 1068 MainRule "str:atomic_email_hunter" "msg:Scanner atomic_email_hunter" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000129 ; 1069 1070 1071 # 1072 # sid: 42000128 | date: 2013-01-03 - 16:58 1073 # 1074 # 1075 # 1076 MainRule "str:nessus" "msg:Nessus-Scanner detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000128 ; 1077 1078 1079 # 1080 # sid: 42000127 | date: 2013-01-03 - 16:57 1081 # 1082 # 1083 # 1084 MainRule "str:amiga-aweb/3.4" "msg:Scanner Amiga-Aweb" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000127 ; 1085 1086 1087 # 1088 # sid: 42000122 | date: 2012-12-21 - 13:59 1089 # 1090 # http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/ 1091 # http://packetstormsecurity.org/files/view/105240/timthumb-exec.txt 1092 # 1093 MainRule "str:/timthumb.php" "msg:WP Timthumb - Access " "mz:URL" "s:$ATTACK:8" id:42000122 ; 1094 1095 1096 1097 1098 # 1099 # sid: 42000076 | date: 2012-10-20 - 11:26 1100 # 1101 # VTI_BIN is a sharepoint-thingie 1102 # 1103 MainRule "str:/_vti_bin/" "msg:VTI_BIN - Access " "mz:URL" "s:$UWA:8" id:42000076 ; 1104 1105 1106 # 1107 # sid: 42000073 | date: 2012-10-20 - 10:33 1108 # 1109 # 1110 # 1111 MainRule "str:urllib/" "msg:Python-urllib UA, possible Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:4" id:42000073 ; 1112 1113 1114 # 1115 # sid: 42000051 | date: 2012-10-11 - 16:04 1116 # 1117 # 1118 # 1119 MainRule "str:nikto" "msg:Nikto-Scanner UA detected" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8,$UWA:8" id:42000051 ; 1120 1121 1122 # 1123 # sid: 42000046 | date: 2012-10-11 - 15:13 1124 # 1125 # original request: /w00tw00t.at.ISC.SANS.DFind 1126 # http://serverfault.com/questions/125607/dealing-with-http-w00tw00t-attacks 1127 # 1128 MainRule "str:/w00tw00t" "msg:DFind w00tw00t GET-Requests" "mz:URL" "s:$ATTACK:8,$UWA:8" id:42000046 ; 1129 1130 1131 # 1132 # sid: 42000045 | date: 2012-10-11 - 15:09 1133 # 1134 # emerging sid:2009158 1135 # 1136 MainRule "str:webshag" "msg:WebShag Web Application Scan Detected" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8,$UWA:8" id:42000045 ; 1137 1138 1139 # 1140 # sid: 42000044 | date: 2012-10-11 - 14:59 1141 # 1142 # emerging sid:2008617 1143 # 1144 MainRule "str:/.adsensepostnottherenonobook" "msg:Wikto Scan" "mz:URL" "s:$ATTACK:8,$UWA:8" id:42000044 ; 1145 1146 1147 # 1148 # sid: 42000043 | date: 2012-10-11 - 14:59 1149 # 1150 # emerging sid:2010960 1151 # 1152 MainRule "str:whatweb/" "msg:WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:4,$UWA:4" id:42000043 ; 1153 1154 1155 # 1156 # sid: 42000042 | date: 2012-10-11 - 14:58 1157 # 1158 # emerging sid:2010768 1159 # 1160 MainRule "str: webcollage/" "msg:Open-Proxy ScannerBot (webcollage-UA)" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000042 ; 1161 1162 1163 # 1164 # sid: 42000040 | date: 2012-10-11 - 14:55 1165 # 1166 # emerging sid:2009159 1167 # 1168 MainRule "str:toata dragostea" "msg:Toata Scanner User-Agent Detected" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8,$UWA:8" id:42000040 ; 1169 1170 1171 # 1172 # sid: 42000038 | date: 2012-10-11 - 14:53 1173 # 1174 # emerging sid:2010508 1175 # 1176 MainRule "str:springenwerk" "msg:Springenwerk XSS Scanner User-Agent Detected" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8,$UWA:8" id:42000038 ; 1177 1178 1179 # 1180 # sid: 42000037 | date: 2012-10-11 - 14:52 1181 # 1182 # emerging sid:2010953 1183 # 1184 MainRule "str:mozilla/5.0 sf" "msg:kipfish Web Application Scan Detected" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8,$UWA:8" id:42000037 ; 1185 1186 1187 # 1188 # sid: 42000036 | date: 2012-10-11 - 14:47 1189 # 1190 # DirBuster 1191 # 1192 MainRule "str:dirbuster" "msg:DirBuster Web App Scan in Progress" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8,$UWA:8" id:42000036 ; 1193 1194 1195 # 1196 # sid: 42000035 | date: 2012-10-11 - 14:45 1197 # 1198 # emerging sid:2009154 1199 # 1200 MainRule "str:autogetcolumn" "msg:Automated Injection Tool User-Agent (AutoGetColumn)" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:4,$SQL:4,$UWA:4" id:42000035 ; 1201 1202 1203 # 1204 # sid: 42000034 | date: 2012-10-11 - 14:42 1205 # 1206 # emerging 1207 # 1208 MainRule "str:absinthe" "msg:Absinthe SQL Injection Tool HTTP Header Detected" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:4,$SQL:4" id:42000034 ; 1209 1210 1211 # 1212 # sid: 42000031 | date: 2012-10-11 - 14:35 1213 # 1214 # emerging sid:2013115 1215 # 1216 MainRule "str:/muieblackcat" "msg:Muieblackcat scanner" "mz:URL" "s:$ATTACK:8" id:42000031 ; 1217 1218 1219 # 1220 # sid: 42000019 | date: 2012-10-11 - 12:59 1221 # 1222 # emerging sid:2009288 1223 # 1224 MainRule "str:revolt" "msg:Attack Tool Revolt Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8,$UWA:8" id:42000019 ; 1225 1226 1227 # 1228 # sid: 42000014 | date: 2012-10-11 - 12:44 1229 # 1230 # emerging sid:2011286 1231 # eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/ 1232 # 1233 MainRule "str:mama" "msg:Bot Search RFI Scan (Casper-Like MaMa Cyber/ebes)" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000014 ; 1234 1235 1236 # 1237 # sid: 42000013 | date: 2012-10-11 - 12:42 1238 # 1239 # emerging sid:2011285 1240 # eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/ 1241 # 1242 MainRule "str:jcomers bot" "msg:Bot Search RFI Scan (Casper-Like, Jcomers Bot scan)" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000013 ; 1243 1244 1245 # 1246 # sid: 42000012 | date: 2012-10-11 - 12:39 1247 # 1248 # emerging sid:2011244 1249 # eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/ 1250 # 1251 MainRule "str:mozilla/4.76 [ru] (x11; u; sunos 5.7 sun4u)" "msg:Bot Search RFI Scan (ByroeNet/Casper-Like sun4u)" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000012 ; 1252 1253 1254 # 1255 # sid: 42000011 | date: 2012-10-11 - 12:37 1256 # 1257 # emerging sid:2011243# eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/ 1258 # 1259 MainRule "str:planetwork" "msg:Bot Search RFI Scan (ByroeNet/Casper-Like, planetwork" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000011 ; 1260 1261 1262 # 1263 # sid: 42000010 | date: 2012-10-11 - 12:36 1264 # 1265 # emerging sid:2011175# eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/ 1266 # 1267 MainRule "str:casper bot" "msg:Casper Bot Search RFI Scan" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000010 ; 1268 1269 1270 # 1271 # sid: 42000009 | date: 2012-10-11 - 12:34 1272 # 1273 # emerging sid:2009799 1274 # 1275 MainRule "str:m fucking scanner" "msg:PHP Attack Tool Morfeus F Scanner - M" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000009 ; 1276 1277 1278 # 1279 # sid: 42000008 | date: 2012-10-11 - 12:33 1280 # 1281 # emerging sid:2003466 1282 # 1283 MainRule "str:morpheus" "msg:PHP Attack Tool Morfeus F Scanner" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000008 ; 1284 1285