[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] nmap scripting engine usder-agent
From: jonkman () jonkmans ! com (Matt Jonkman)
Date: 2009-05-22 15:38:43
Message-ID: 4A16C703.1040700 () jonkmans ! com
[Download RAW message or body]
Nice! Posting now. Thanks Jaime.
Matt
Jaime Blasco wrote:
> Hi, some rules to detect nmap scripting engine common user-agents:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Nmap
> Scripting Engine User-Agent Detected (1)"; flow:to_server,established;
> content:"|0d 0a|User-Agent|3a| Nmap NSE";
> classtype:web-application-attack; sid:; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Nmap
> Scripting Engine User-Agent Detected (2)"; flow:to_server,established;
> content:"|0d 0a|User-Agent|3a| Mozilla/5.0 (compatible|3b| Nmap
> Scripting Engine"; nocase; classtype:web-application-attack; sid:; rev:1;)
>
>
> Regards
> --
> _______________________________
>
> Jaime Blasco
>
> www.ossim.com <http://www.ossim.com>
> www.alienvault.com <http://www.alienvault.com>
> Email: jaime.blasco at alienvault.com <mailto:jaime.blasco at alienvault.com>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic