alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; content:"GET / HTTP/1.0"; depth:14; content:"|0d 0a|User-Agent|3a| Mozilla"; content:"4.75 [en] (Windows NT 5.0"; offset:20; depth:60; flow:to_server,established; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; classtype:attempted-recon; sid:2008537; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:42 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; flow:to_server,established; content:"GET"; nocase; http_method; content:"HTTP/1.0"; content:"User-Agent|3a| Mozilla"; content:"4.75 [en] (Windows NT 5.0"; http_header; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; classtype:attempted-recon; sid:2008537; rev:7;)

Added 2011-10-12 19:25:19 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; flow:to_server,established; content:"GET"; nocase; http_method; content:"HTTP/1.0"; content:"User-Agent|3a| Mozilla"; content:"4.75 [en] (Windows NT 5.0"; http_header; classtype:attempted-recon; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; sid:2008537; rev:7;)

Added 2011-09-14 22:38:46 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; flow:to_server,established; content:"GET"; nocase; http_method; content:"HTTP/1.0"; content:"User-Agent|3a| Mozilla"; content:"4.75 [en] (Windows NT 5.0"; http_header; classtype:attempted-recon; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Hmap; sid:2008537; rev:7;)

Added 2011-02-04 17:27:43 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; content:"GET / HTTP/1.0"; content:"User-Agent\: Mozilla"; content:"4.75 [en] (Windows NT 5.0"; offset:20; depth:60; flow:to_server,established; classtype:attempted-recon; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Hmap; sid:2008537; rev:3;)

Added 2009-02-11 19:24:44 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; content:"GET / HTTP/1.0"; content:"User-Agent\: Mozilla"; content:"4.75 [en] (Windows NT 5.0"; offset:20; depth:60; flow:to_server,established; classtype:attempted-recon; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Hmap; sid:2008537; rev:3;)

Added 2009-02-11 19:24:44 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; content:"GET / HTTP/1.0"; content:"User-Agent\: Mozilla"; content:"4.75 [en] (Windows NT 5.0"; offset:20; depth:60; flow:to_server,established; classtype:attempted-recon; reference:url,www.ujeni.murkyroc.com/hmap/; sid:2008537; rev:2;)

Added 2008-09-03 14:15:21 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; content:"GET / HTTP/1.0"; content:"User-Agent\: Mozilla"; content:"4.75 [en] (Windows NT 5.0"; offset:20; depth:60; flow:to_server,established; classtype:attempted-recon; reference:url,www.ujeni.murkyroc.com/hmap/; sid:2008537; rev:2;)

Added 2008-09-03 14:15:21 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; content:"GET / HTTP/1.0"; content:"User-Agent: Mozilla"; content:"4.75 [en] (Windows NT 5.0"; offset:20; depth:60; flow:to_server,established; classtype:attempted-recon; reference:url,www.ujeni.murkyroc.com/hmap/; sid:2008537; rev:1;)

Added 2008-09-02 10:00:22 UTC

The : (colon) in the User-Agent test should either be escaped with a \ or should be expressed as a hex |3a|. Otherwise it fails to load correctly.

See http://www.snort.org/docs/snort_htmanuals/htmanual_282/node228.html

-- JohnIves - 02 Sep 2008


Topic revision: r2 - 2008-09-02 - JohnIves
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats