From eb3e926a27a51516e919dedcc97f498f0e2032ee Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Wed, 19 Nov 2025 15:14:26 +0100 Subject: [PATCH 1/8] [New Rule] Web Server Unusual User Agent Request --- ...ssance_web_server_unusual_user_agents.toml | 126 ++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml new file mode 100644 index 00000000000..e7e9268fd92 --- /dev/null +++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml @@ -0,0 +1,126 @@ +[metadata] +creation_date = "2025/11/19" +integration = ["nginx", "apache", "apache_tomcat", "iis", "network_traffic"] +maturity = "production" +updated_date = "2025/11/19" + +[rule] +author = ["Elastic"] +description = """ +This rule detects unusual spikes in web server requests with uncommon or suspicious user-agent strings. Such activity may +indicate reconnaissance attempts by attackers trying to identify vulnerabilities in web applications or servers. These +user-agents are often associated with automated tools used for scanning, vulnerability assessment, or brute-force attacks. +""" +from = "now-61m" +interval = "1h" +language = "esql" +license = "Elastic License v2" +name = "Web Server Unusual User Agent Request" +risk_score = 21 +rule_id = "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35" +severity = "low" +tags = [ + "Domain Scope: Single", + "Domain: Web", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Tactic: Credential Access", + "Data Source: Network Packet Capture", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", +] +timestamp_override = "event.ingested" +type = "esql" +query = ''' +from + logs-network_traffic.http-*, + logs-network_traffic.tls-*, + logs-nginx.access-*, + logs-apache.access-*, + logs-apache_tomcat.access-*, + logs-iis.access-* +| where + @timestamp > now() - 1 hours and + ( + user_agent.original like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" or // Nikto + user_agent.original like "nikto*" or // Nikto + user_agent.original like "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" or // Nessus + user_agent.original like "sqlmap/*" or // SQLMap + user_agent.original like "WPScan *" or // WPScan + user_agent.original like "feroxbuster/*" or // Feroxbuster + user_agent.original like "masscan*" or // Masscan & masscan-ng + user_agent.original like "Fuzz*" or // Ffuf + user_agent.original like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/user_agent.original like~ 87.0.4280.88 Safari/537.36" or // Dirsearch + user_agent.original like "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" or // Dirb + user_agent.original like "DirBuster*" or // Dirbuster + user_agent.original like "gobuster/*" or // Gobuster + user_agent.original like "*nmap*" or // Nmap Scripting Engine + user_agent.original like "*hydra*" // Hydra Brute Forcer + ) +| keep + @timestamp, + event.dataset, + user_agent.original, + url.path, + source.ip, + agent.id, + host.name +| stats + Esql.event_count = count(), + Esql.url_path_count_distinct = count_distinct(url.path), + Esql.host_name_values = values(host.name), + Esql.agent_id_values = values(agent.id), + Esql.url_path_values = values(url.path), + Esql.user_agent_original_values = values(user_agent.original), + Esql.event_dataset_values = values(event.dataset) + by source.ip +| where + Esql.event_count > 50 and Esql.url_path_count_distinct > 10 +| limit 100 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.002" +name = "Vulnerability Scanning" +reference = "https://attack.mitre.org/techniques/T1595/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" From 1683a4cf64e60c57b8e4649337d0b4b8157ca00c Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Wed, 19 Nov 2025 15:15:07 +0100 Subject: [PATCH 2/8] [New Rule] Web Server Suspicious User Agent Request Spike --- .../reconnaissance_web_server_unusual_user_agents.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml index e7e9268fd92..375c36bf698 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml @@ -15,7 +15,7 @@ from = "now-61m" interval = "1h" language = "esql" license = "Elastic License v2" -name = "Web Server Unusual User Agent Request" +name = "Web Server Suspicious User Agent Request Spike" risk_score = 21 rule_id = "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35" severity = "low" From 38c85839264f8361ff86c375c9cafbbd4eaa643c Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 19 Nov 2025 15:41:36 +0100 Subject: [PATCH 3/8] Update reconnaissance_web_server_unusual_user_agents.toml --- ...connaissance_web_server_unusual_user_agents.toml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml index 375c36bf698..90293af31aa 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml @@ -22,6 +22,7 @@ severity = "low" tags = [ "Domain Scope: Single", "Domain: Web", + "Domain: Network", "OS: Linux", "OS: macOS", "OS: Windows", @@ -45,7 +46,8 @@ from logs-apache_tomcat.access-*, logs-iis.access-* | where - @timestamp > now() - 1 hours and + @timestamp > now() - 1 hours and + (url.original is not null or url.full is not null) and ( user_agent.original like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" or // Nikto user_agent.original like "nikto*" or // Nikto @@ -62,6 +64,10 @@ from user_agent.original like "*nmap*" or // Nmap Scripting Engine user_agent.original like "*hydra*" // Hydra Brute Forcer ) + +| eval Esql_url_text = case(url.original is not null, url.original, url.full) +| eval Esql_url_lower = to_lower(Esql_url_text) + | keep @timestamp, event.dataset, @@ -69,13 +75,14 @@ from url.path, source.ip, agent.id, - host.name + host.name, + Esql_url_lower | stats Esql.event_count = count(), Esql.url_path_count_distinct = count_distinct(url.path), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), - Esql.url_path_values = values(url.path), + Esql.url_path_values = values(Esql_url_lower), Esql.user_agent_original_values = values(user_agent.original), Esql.event_dataset_values = values(event.dataset) by source.ip From cb2fd7572502cb1b19cd28f814550b4514b44063 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 19 Nov 2025 15:46:57 +0100 Subject: [PATCH 4/8] Update reconnaissance_web_server_unusual_user_agents.toml --- .../reconnaissance_web_server_unusual_user_agents.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml index 90293af31aa..953990cc22f 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml @@ -72,14 +72,13 @@ from @timestamp, event.dataset, user_agent.original, - url.path, source.ip, agent.id, host.name, Esql_url_lower | stats Esql.event_count = count(), - Esql.url_path_count_distinct = count_distinct(url.path), + Esql.url_path_count_distinct = count_distinct(Esql_url_lower), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), Esql.url_path_values = values(Esql_url_lower), From 8fe37fe5c51a5bbafe7a3ab6481908afd6a6d560 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Mon, 24 Nov 2025 14:18:34 +0100 Subject: [PATCH 5/8] ++ --- ...ssance_web_server_unusual_user_agents.toml | 32 +++++++++++-------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml index 953990cc22f..685204d4094 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml @@ -11,8 +11,8 @@ This rule detects unusual spikes in web server requests with uncommon or suspici indicate reconnaissance attempts by attackers trying to identify vulnerabilities in web applications or servers. These user-agents are often associated with automated tools used for scanning, vulnerability assessment, or brute-force attacks. """ -from = "now-61m" -interval = "1h" +from = "now-9m" +interval = "10m" language = "esql" license = "Elastic License v2" name = "Web Server Suspicious User Agent Request Spike" @@ -20,12 +20,8 @@ risk_score = 21 rule_id = "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35" severity = "low" tags = [ - "Domain Scope: Single", "Domain: Web", "Domain: Network", - "OS: Linux", - "OS: macOS", - "OS: Windows", "Use Case: Threat Detection", "Tactic: Reconnaissance", "Tactic: Credential Access", @@ -46,7 +42,6 @@ from logs-apache_tomcat.access-*, logs-iis.access-* | where - @timestamp > now() - 1 hours and (url.original is not null or url.full is not null) and ( user_agent.original like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" or // Nikto @@ -62,11 +57,20 @@ from user_agent.original like "DirBuster*" or // Dirbuster user_agent.original like "gobuster/*" or // Gobuster user_agent.original like "*nmap*" or // Nmap Scripting Engine - user_agent.original like "*hydra*" // Hydra Brute Forcer + user_agent.original like "*hydra*" or // Hydra Brute Forcer + user_agent.original like "*w3af*" or // w3af Web Application Attack and Audit Framework + user_agent.original like "*Arachni*" or // Arachni Web Application Security Scanner + user_agent.original like "*Skipfish*" or // Skipfish Web Application Security Scanner + user_agent.original like "*OpenVAS*" or // OpenVAS Vulnerability Scanner + user_agent.original like "*Acunetix*" or // Acunetix Vulnerability Scanner + user_agent.original like "*Nessus*" or // Nessus Vulnerability Scanner + user_agent.original like "*dirsearch*" or // dirsearch + user_agent.original like "*ZAP*" or // OWASP ZAP + user_agent.original like "*Burp*" // Burp Suite ) -| eval Esql_url_text = case(url.original is not null, url.original, url.full) -| eval Esql_url_lower = to_lower(Esql_url_text) +| eval Esql.url_text = case(url.original is not null, url.original, url.full) +| eval Esql.url_lower = to_lower(Esql.url_text) | keep @timestamp, @@ -75,16 +79,16 @@ from source.ip, agent.id, host.name, - Esql_url_lower + Esql.url_lower | stats Esql.event_count = count(), - Esql.url_path_count_distinct = count_distinct(Esql_url_lower), + Esql.url_path_count_distinct = count_distinct(Esql.url_lower), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), - Esql.url_path_values = values(Esql_url_lower), + Esql.url_path_values = values(Esql.url_lower), Esql.user_agent_original_values = values(user_agent.original), Esql.event_dataset_values = values(event.dataset) - by source.ip + by source.ip, agent.id | where Esql.event_count > 50 and Esql.url_path_count_distinct > 10 | limit 100 From 9ab5d79b6d0016871821bb6407d389c7ffe7f827 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Mon, 24 Nov 2025 14:23:20 +0100 Subject: [PATCH 6/8] ++ --- ...ssance_web_server_unusual_user_agents.toml | 55 ++++++++++--------- 1 file changed, 29 insertions(+), 26 deletions(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml index 685204d4094..8b8dfdddc6a 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml @@ -41,32 +41,35 @@ from logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-* + +| eval Esql.user_agent_original_lower = to_lower(user_agent.original) + | where (url.original is not null or url.full is not null) and ( - user_agent.original like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" or // Nikto - user_agent.original like "nikto*" or // Nikto - user_agent.original like "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" or // Nessus - user_agent.original like "sqlmap/*" or // SQLMap - user_agent.original like "WPScan *" or // WPScan - user_agent.original like "feroxbuster/*" or // Feroxbuster - user_agent.original like "masscan*" or // Masscan & masscan-ng - user_agent.original like "Fuzz*" or // Ffuf - user_agent.original like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/user_agent.original like~ 87.0.4280.88 Safari/537.36" or // Dirsearch - user_agent.original like "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" or // Dirb - user_agent.original like "DirBuster*" or // Dirbuster - user_agent.original like "gobuster/*" or // Gobuster - user_agent.original like "*nmap*" or // Nmap Scripting Engine - user_agent.original like "*hydra*" or // Hydra Brute Forcer - user_agent.original like "*w3af*" or // w3af Web Application Attack and Audit Framework - user_agent.original like "*Arachni*" or // Arachni Web Application Security Scanner - user_agent.original like "*Skipfish*" or // Skipfish Web Application Security Scanner - user_agent.original like "*OpenVAS*" or // OpenVAS Vulnerability Scanner - user_agent.original like "*Acunetix*" or // Acunetix Vulnerability Scanner - user_agent.original like "*Nessus*" or // Nessus Vulnerability Scanner - user_agent.original like "*dirsearch*" or // dirsearch - user_agent.original like "*ZAP*" or // OWASP ZAP - user_agent.original like "*Burp*" // Burp Suite + Esql.user_agent_original_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/74.0.3729.169 safari/537.36" or // Nikto + Esql.user_agent_original_lower like "nikto*" or // Nikto + Esql.user_agent_original_lower like "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)" or // Nessus Vulnerability Scanner + Esql.user_agent_original_lower like "*nessus*" or // Nessus Vulnerability Scanner + Esql.user_agent_original_lower like "sqlmap/*" or // SQLMap + Esql.user_agent_original_lower like "wpscan*" or // WPScan + Esql.user_agent_original_lower like "feroxbuster/*" or // Feroxbuster + Esql.user_agent_original_lower like "masscan*" or // Masscan & masscan-ng + Esql.user_agent_original_lower like "fuzz*" or // Ffuf + Esql.user_agent_original_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/user_agent.original like~ 87.0.4280.88 safari/537.36" or // Dirsearch + Esql.user_agent_original_lower like "mozilla/4.0 (compatible; msie 6.0; windows nt 5.1)" or // Dirb + Esql.user_agent_original_lower like "dirbuster*" or // Dirbuster + Esql.user_agent_original_lower like "gobuster/*" or // Gobuster + Esql.user_agent_original_lower like "*dirsearch*" or // dirsearch + Esql.user_agent_original_lower like "*nmap*" or // Nmap Scripting Engine + Esql.user_agent_original_lower like "*hydra*" or // Hydra Brute Forcer + Esql.user_agent_original_lower like "*w3af*" or // w3af Web Application Attack and Audit Framework + Esql.user_agent_original_lower like "*arachni*" or // Arachni Web Application Security Scanner + Esql.user_agent_original_lower like "*skipfish*" or // Skipfish Web Application Security Scanner + Esql.user_agent_original_lower like "*openvas*" or // OpenVAS Vulnerability Scanner + Esql.user_agent_original_lower like "*acunetix*" or // Acunetix Vulnerability Scanner + Esql.user_agent_original_lower like "*zap*" or // OWASP ZAP + Esql.user_agent_original_lower like "*burp*" // Burp Suite ) | eval Esql.url_text = case(url.original is not null, url.original, url.full) @@ -79,19 +82,19 @@ from source.ip, agent.id, host.name, - Esql.url_lower + Esql.url_lower, + Esql.user_agent_original_lower | stats Esql.event_count = count(), Esql.url_path_count_distinct = count_distinct(Esql.url_lower), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), Esql.url_path_values = values(Esql.url_lower), - Esql.user_agent_original_values = values(user_agent.original), + Esql.user_agent_original_values = values(Esql.user_agent_original_lower), Esql.event_dataset_values = values(event.dataset) by source.ip, agent.id | where Esql.event_count > 50 and Esql.url_path_count_distinct > 10 -| limit 100 ''' [[rule.threat]] From 981ea126a57937d4341659702d673bbb4afd86b2 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 24 Nov 2025 16:08:27 +0100 Subject: [PATCH 7/8] Rename rule for suspicious user agent requests --- .../reconnaissance_web_server_unusual_user_agents.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml index 8b8dfdddc6a..5882a29e6d7 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml @@ -15,7 +15,7 @@ from = "now-9m" interval = "10m" language = "esql" license = "Elastic License v2" -name = "Web Server Suspicious User Agent Request Spike" +name = "Web Server Suspicious User Agent Requests" risk_score = 21 rule_id = "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35" severity = "low" From b264c9446c3db93a3fe3290915b6b4c851a32ce9 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 24 Nov 2025 13:01:04 -0500 Subject: [PATCH 8/8] fixing from indices formatting --- ...naissance_web_server_unusual_user_agents.toml | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml index 5882a29e6d7..208b7058242 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml @@ -34,13 +34,7 @@ tags = [ timestamp_override = "event.ingested" type = "esql" query = ''' -from - logs-network_traffic.http-*, - logs-network_traffic.tls-*, - logs-nginx.access-*, - logs-apache.access-*, - logs-apache_tomcat.access-*, - logs-iis.access-* +from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-* | eval Esql.user_agent_original_lower = to_lower(user_agent.original) @@ -48,19 +42,19 @@ from (url.original is not null or url.full is not null) and ( Esql.user_agent_original_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/74.0.3729.169 safari/537.36" or // Nikto - Esql.user_agent_original_lower like "nikto*" or // Nikto + Esql.user_agent_original_lower like "nikto*" or // Nikto Esql.user_agent_original_lower like "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)" or // Nessus Vulnerability Scanner Esql.user_agent_original_lower like "*nessus*" or // Nessus Vulnerability Scanner Esql.user_agent_original_lower like "sqlmap/*" or // SQLMap Esql.user_agent_original_lower like "wpscan*" or // WPScan - Esql.user_agent_original_lower like "feroxbuster/*" or // Feroxbuster + Esql.user_agent_original_lower like "feroxbuster/*" or // Feroxbuster Esql.user_agent_original_lower like "masscan*" or // Masscan & masscan-ng Esql.user_agent_original_lower like "fuzz*" or // Ffuf Esql.user_agent_original_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/user_agent.original like~ 87.0.4280.88 safari/537.36" or // Dirsearch Esql.user_agent_original_lower like "mozilla/4.0 (compatible; msie 6.0; windows nt 5.1)" or // Dirb Esql.user_agent_original_lower like "dirbuster*" or // Dirbuster Esql.user_agent_original_lower like "gobuster/*" or // Gobuster - Esql.user_agent_original_lower like "*dirsearch*" or // dirsearch + Esql.user_agent_original_lower like "*dirsearch*" or // dirsearch Esql.user_agent_original_lower like "*nmap*" or // Nmap Scripting Engine Esql.user_agent_original_lower like "*hydra*" or // Hydra Brute Forcer Esql.user_agent_original_lower like "*w3af*" or // w3af Web Application Attack and Audit Framework @@ -68,7 +62,7 @@ from Esql.user_agent_original_lower like "*skipfish*" or // Skipfish Web Application Security Scanner Esql.user_agent_original_lower like "*openvas*" or // OpenVAS Vulnerability Scanner Esql.user_agent_original_lower like "*acunetix*" or // Acunetix Vulnerability Scanner - Esql.user_agent_original_lower like "*zap*" or // OWASP ZAP + Esql.user_agent_original_lower like "*zap*" or // OWASP ZAP Esql.user_agent_original_lower like "*burp*" // Burp Suite )