Snort mailing list archives
Multiple recon sigs
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 27 Apr 2018 15:36:36 +0000
Hi, I'm not sure if these signatures qualify for submission, but I am posting them anyway just in case someone finds them useful. The pcaps for the MikroTik Winbox are available, and an AppID detector will be posted to the appid list. # Date: 2018-04-22 # Title: Drupal Web Server Recon # Reference: https://twitter.com/GreyNoiseIO/status/980867618075758593 # Tests: Live Traffic alert tcp $EXTERNAL_NET any -> HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal web server recon attempt"; flow:to_server,established; content:"/RELEASE-NOTES.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,twitter.com/GreyNoiseIO/status/980867618075758593; classtype:attempted-recon; sid:8000014; rev:1;) # -------------------- # Date: 2018-04-22 # Title: MikroTik Winbox App/Protocol Connection # Reference: Research alert tcp $EXTERNAL_NET any -> HOME_NET 8291 (msg:"SERVER-OTHER MikroTik Winbox recon attempt"; flow:to_server,established; content:"|00 00 21 04 6C 69 73 74 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:8000015; rev:1;) # -------------------- # Date: 2018-04-27 # Title: Scanning for TemperatureGuard IP-enabled thermostats # Reference: https://twitter.com/GreyNoiseIO/status/989750700346261505 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TemperatureGuard configuration access attempt"; flow:to_server,established; content:"/secure/ltx_conf.htm"; fast_pattern:only; http_uri; metadata:ruleset community; reference:url,twitter.com/GreyNoiseIO/status/989750700346261505; reference:url,www.temperatureguard.com/Documentation/Manuals/M305-M306%20Getting%20Started.pdf; classtype:attempted-recon; sid:8000017; rev:1;) # -------------------- # Date: 2018-04-27 # Title: Scanning for Dahua IP Camera configuration # Reference: https://twitter.com/GreyNoiseIO/status/989749601694445574 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dahua IP Camera configuration access attempt"; flow:to_server,established; content:"/current_config/passwd"; fast_pattern:only; http_uri; metadata:ruleset community; reference:url,twitter.com/GreyNoiseIO/status/989749601694445574; reference:url,gist.github.com/avelardi/1338d9d7be0344ab7f4280618930cd0d; classtype:attempted-recon; sid:8000018; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple recon sigs Y M via Snort-sigs (Apr 27)