snort 检测nmap_snort规则之常见web漏洞扫描器

之前工作中搭建开源IDS，架构是suricata+barnyard2+snort规则。跟同事测试写了一些常见web漏洞扫描器的规则，分享出来。很多都是根据UA来识别的，因此比较简单，可能也会有误报。

#Web app scan tools rules

#

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Sqlmap found"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| sqlmap"; classtype:web-application-attack; sid:90000001; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-Scan-Memo"; classtype:web-application-attack; sid:90000003; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"CustomCookie"; classtype:web-application-attack; sid:90000004; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-WIPP"; classtype:web-application-attack; sid:90000005; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Netsparker found"; content:"netsparker"; classtype:web-application-attack; sid:90000006; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Appscan found"; content:"Appscan"; classtype:web-application-attack; sid:90000007; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bugscan found"; content:"

XSS@HERE

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Nmap found"; content:"nmap"; classtype:web-application-attack; sid:90000009; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Awvscan found"; flow:to_server; content:"acunetix"; classtype:web-application-attack; sid:90000010; rev:11;)

#Web vul rules

#

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"%20and%201=1"; classtype:web-application-attack; sid:80000001; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found "; content:"%20and%201=2"; classtype:web-application-attack; sid:80000002; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union/**/"; classtype:

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！