alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ZmEu? exploit scanner"; flow:established,to_server; content:"User-Agent|3a| Made by ZmEu?"; http_header; threshold: type limit, track by_src, seconds 180, count 1; reference:url,doc.emergingthreats.net/2010715; classtype:web-application-attack; sid:2010715; rev:7;)

Added 2011-10-12 19:30:24 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ZmEu? exploit scanner"; flow:established,to_server; content:"User-Agent|3a| Made by ZmEu?"; http_header; threshold: type limit, track by_src, seconds 180, count 1; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010715; sid:2010715; rev:7;)

Added 2011-09-14 22:43:35 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ZmEu? exploit scanner"; flow:established,to_server; content:"User-Agent|3a| Made by ZmEu?"; http_header; threshold: type limit, track by_src, seconds 180, count 1; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_ZmEu; sid:2010715; rev:6;)

Added 2011-02-04 17:30:20 UTC

Has anyone here seen that the sid of this rule is 2010715 while the URL in the reference field points to doc.emergingthreats.net/2010705??? This is wrong...

-- JeremyNenadal - 12 May 2011

Fixing that up, thanks Jeremy!!

-- MattJonkman - 12 May 2011


alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN ZmEu? exploit scanner"; flow:established,to_server; content:"|0d 0a|User-Agent\: Made by ZmEu?"; threshold: type limit, track by_src, seconds 180, count 1; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_ZmEu; sid:2010715; rev:3;)

Added 2010-07-29 19:45:58 UTC


alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN ZmEu? exploit scanner"; flow:established,to_server; content:"|0d 0a|User-Agent\: Made by ZmEu?"; threshold: type limit, track by_src, seconds 180, count 1; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_ZmEu; sid:2010715; rev:3;)

Added 2010-07-29 19:45:58 UTC


alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ZmEu? exploit scanner"; flow:established,to_server; content:"|0d 0a|User-Agent\: Made by ZmEu?"; threshold: type limit, track by_src, seconds 180, count 1; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2010705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_ZmEu; sid:2010715; rev:2;)

Added 2010-01-23 12:51:22 UTC


Topic revision: r3 - 2011-05-12 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats