alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ZmEu? exploit scanner"; flow:established,to_server; content:"User-Agent|3a| Made by ZmEu?"; http_header; threshold: type limit, track by_src, seconds 180, count 1; reference:url,doc.emergingthreats.net/2010715; classtype:web-application-attack; sid:2010715; rev:7;) Added 2011-10-12 19:30:24 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ZmEu? exploit scanner"; flow:established,to_server; content:"User-Agent|3a| Made by ZmEu?"; http_header; threshold: type limit, track by_src, seconds 180, count 1; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010715; sid:2010715; rev:7;) Added 2011-09-14 22:43:35 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ZmEu? exploit scanner"; flow:established,to_server; content:"User-Agent|3a| Made by ZmEu?"; http_header; threshold: type limit, track by_src, seconds 180, count 1; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_ZmEu; sid:2010715; rev:6;) Added 2011-02-04 17:30:20 UTC Has anyone here seen that the sid of this rule is 2010715 while the URL in the reference field points to doc.emergingthreats.net/2010705??? This is wrong... -- JeremyNenadal - 12 May 2011 Fixing that up, thanks Jeremy!! -- MattJonkman - 12 May 2011
alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN ZmEu? exploit scanner"; flow:established,to_server; content:"|0d 0a|User-Agent\: Made by ZmEu?"; threshold: type limit, track by_src, seconds 180, count 1; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_ZmEu; sid:2010715; rev:3;) Added 2010-07-29 19:45:58 UTC
alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN ZmEu? exploit scanner"; flow:established,to_server; content:"|0d 0a|User-Agent\: Made by ZmEu?"; threshold: type limit, track by_src, seconds 180, count 1; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_ZmEu; sid:2010715; rev:3;) Added 2010-07-29 19:45:58 UTC
alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ZmEu? exploit scanner"; flow:established,to_server; content:"|0d 0a|User-Agent\: Made by ZmEu?"; threshold: type limit, track by_src, seconds 180, count 1; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ZmEu; sid:2010715; rev:2;) Added 2010-01-23 12:51:22 UTC
Topic revision: r3 - 2011-05-12 - MattJonkman
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © Emerging Threats