#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Halberd Load Balanced Webserver Detection Scan"; flow:to_server,established; content:"Pragma|3a| no-cache"; http_header; content:"Firefox/1.0.3"; http_header; fast_pattern; offset:40; depth:40; threshold: type threshold, track by_src, count 40, seconds 15; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; classtype:attempted-recon; sid:2008536; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:42 UTC


#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Halberd Load Balanced Webserver Detection Scan"; flow:to_server,established; content:"Pragma|3a| no-cache"; http_header; content:"Firefox/1.0.3"; http_header; fast_pattern; offset:40; depth:40; threshold: type threshold, track by_src, count 40, seconds 15; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; classtype:attempted-recon; sid:2008536; rev:7;)

Added 2012-03-08 18:30:46 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Halberd Load Balanced Webserver Detection Scan"; flow:to_server,established; content:"Pragma|3a| no-cache"; http_header; content:"Firefox/1.0.3"; http_header; fast_pattern; offset:40; depth:40; threshold: type threshold, track by_src, count 40, seconds 15; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; classtype:attempted-recon; sid:2008536; rev:7;)

Added 2011-10-12 19:25:19 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Halberd Load Balanced Webserver Detection Scan"; flow:to_server,established; content:"Pragma|3a| no-cache"; http_header; content:"Firefox/1.0.3"; http_header; fast_pattern; offset:40; depth:40; threshold: type threshold, track by_src, count 40, seconds 15; classtype:attempted-recon; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; sid:2008536; rev:7;)

Added 2011-09-14 22:38:46 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Halberd Load Balanced Webserver Detection Scan"; flow:to_server,established; content:"Pragma|3a| no-cache"; http_header; content:"Firefox/1.0.3"; http_header; fast_pattern; offset:40; depth:40; threshold: type threshold, track by_src, count 40, seconds 15; classtype:attempted-recon; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Halberd; sid:2008536; rev:7;)

Added 2011-02-04 17:27:43 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Halberd Load Balanced Webserver Detection Scan"; flow:to_server,established; content:"Pragma\: no-cache"; content:"Firefox/1.0.3"; offset:40; distance:40; threshold: type threshold, track by_src, count 40, seconds 15; classtype:attempted-recon; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Halberd; sid:2008536; rev:4;)

Added 2010-04-03 08:12:59 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Halberd Load Balanced Webserver Detection Scan"; flow:to_server,established; content:"Pragma\: no-cache"; content:"Firefox/1.0.3"; offset:40; distance:40; threshold: type threshold, track by_src, count 40, seconds 15; classtype:attempted-recon; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Halberd; sid:2008536; rev:4;)

Added 2010-04-03 08:12:59 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Halberd Load Balanced Webserver Detection Scan"; content:"Pragma\: no-cache"; content:"Firefox/1.0.3"; offset:40; distance:40; flow:to_server,established; threshold: type threshold, track by_src, count 40, seconds 15; classtype:attempted-recon; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Halberd; sid:2008536; rev:3;)

Added 2009-02-11 19:24:44 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Halberd Load Balanced Webserver Detection Scan"; content:"Pragma\: no-cache"; content:"Firefox/1.0.3"; offset:40; distance:40; flow:to_server,established; threshold: type threshold, track by_src, count 40, seconds 15; classtype:attempted-recon; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Halberd; sid:2008536; rev:3;)

Added 2009-02-11 19:24:44 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Halberd Load Balanced Webserver Detection Scan"; content:"Pragma\: no-cache"; content:"Firefox/1.0.3"; offset:40; distance:40; flow:to_server,established; threshold: type threshold, track by_src, count 40, seconds 15; classtype:attempted-recon; reference:url,www.halberd.superadditive.com; sid:2008536; rev:2;)

Added 2008-09-03 14:15:21 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Halberd Load Balanced Webserver Detection Scan"; content:"Pragma\: no-cache"; content:"Firefox/1.0.3"; offset:40; distance:40; flow:to_server,established; threshold: type threshold, track by_src, count 40, seconds 15; classtype:attempted-recon; reference:url,www.halberd.superadditive.com; sid:2008536; rev:2;)

Added 2008-09-03 14:15:21 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Halberd Load Balanced Webserver Detection Scan"; content:"Pragma: no-cache"; content:"Firefox/1.0.3"; offset:40; distance:40; flow:to_server,established; threshold: type threshold, track by_src, count 40, seconds 15; classtype:attempted-recon; reference:url,www.halberd.superadditive.com; sid:2008536; rev:1;)

Added 2008-09-02 10:00:22 UTC

The : (colon) in the Pragma content test should either be escaped with a \ or should be expressed as a hex |3a|. Otherwise it fails to load correctly.

See http://www.snort.org/docs/snort_htmanuals/htmanual_282/node228.html

-- JohnIves - 02 Sep 2008


Topic revision: r2 - 2008-09-02 - JohnIves
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats