Skip to content
Permalink
Browse files

Added content negation to nessus user agent rule to prevent firing on…

… visits by users to www.nessus.org.  This will still fire on visits to the first level domain nessus.org since it is used in some user-agent headers by the scanner.  Below is a list of observed user-agent headers:

"NESSUS::SOAP"
"Nessus/61101"
"Nessus SOAP v0.0.1 (Nessus.org)"
"Nessus"
  • Loading branch information
Cyber Tao Flow
Cyber Tao Flow committed Aug 30, 2017
1 parent 37d8921 commit 9cfac7b8ab9f665baf624c813449ce6a67659991
Showing with 1 addition and 1 deletion.
  1. +1 −1 web-attack.rules
@@ -55,7 +55,7 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Default Mysqlo
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected - Nmap NSE"; content: "User-Agent"; content: "Nmap NSE"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2009359; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001805; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected - Nmap Scripting Engine"; content: "User-Agent"; content: "Mozilla/5.0"; content: "Nmap Scripting Engine"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2009358; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001806; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nessus User Agent"; content:"User-Agent"; nocase; content:"Nessus"; nocase; threshold: type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001807; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nessus User Agent"; content: "User-Agent"; nocase; content: "Nessus"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001865; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nessus User Agent"; content: "User-Agent"; nocase; content: "Nessus"; nocase; content: !"www.nessus.org"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001865; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Netsparker Default User-Agent"; content: "User-Agent"; content: " Netsparker"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.mavitunasecurity.com/communityedition/; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001808; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nikto Web App Scan in Progress"; content:"User-Agent"; content: "Mozilla/4.75 (Nikto"; threshold: type both, count 5, seconds 60, track by_src; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001809; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nikto Web App Scan in Progress"; content: "User-Agent"; content: "Nikto"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001866; rev:2;)

0 comments on commit 9cfac7b

Please sign in to comment.
You can’t perform that action at this time.