#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011176; classtype:web-application-attack; sid:2011176; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Added 2018-09-13 19:41:52 UTC
Added 2018-09-13 17:54:53 UTC
#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011176; classtype:web-application-attack; sid:2011176; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Added 2017-08-07 21:04:20 UTC
##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011176; classtype:web-application-attack; sid:2011176; rev:4;) Added 2011-10-12 19:31:29 UTC
##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; http_header; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; sid:2011176; rev:4;) Added 2011-09-14 22:44:54 UTC
##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; http_header; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011176; rev:4;) Added 2011-02-04 17:30:57 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Casper; sid:2011176; rev:4;) Added 2010-07-29 19:30:58 UTC All casper sigs at: http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Casper -- MattJonkman - 20 Aug 2010
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011176; rev:3;) Added 2010-07-29 14:16:22 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casper; sid:2011176; rev:2;) Added 2010-07-26 11:52:24 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENT_Casper_RFI_Bot; classtype:web-application-attack; sid:2011176; rev:1;) Added 2010-07-08 19:31:10 UTC Just to provide you more informations about these casper user agents. These user agent are hard coded into the "ByroeNet" scanner dated from 17/06/2010 Source code of the scanner. http://pastebin.com/zBUHC3d9 The scanner is an evolution of the BaMbY? scanner dated from 28/05/2010 http://novie.fileave.com/rfi.txt This new scanner was first seen on Internet the 17 Jun 2010 on t7.fileave.com/e107.txt, directly exploited after his creation. http://www.google.com/search?q=%22%24powered%3D%22ByroeNet%22%3B%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a More precisely this scanner is integrating in his "normal functionalities" a new functionality : e107 scanner. The e107 (cmde107 - e107scan) scanner, with support of dorks, is trying to exploit the 24 May 2010 RCE discovered vulnerability. http://www.exploit-db.com/exploits/12715/ But between his traditional RFI scanner and dorks, the scanner could also exploit the 31 May 2010 LFI discovered vulnerability. http://www.exploit-db.com/exploits/12818/ The ByroeNet? scanner is defining different user agents by default how are customisable For sub cmdxml : my $userAgent = LWP::UserAgent->new(agent => 'perl post'); For sub cmde107 : $access->agent("Mozilla/5.0"); For sub e107scan : $ua->agent('Mozilla/4.76 [ru] (X11; U; SunOS? 5.7 sun4u)'); For sub xmlcek : my $userAgent = LWP::UserAgent->new(agent => 'perl post'); For sub xmlxspread : my $userAgent = LWP::UserAgent->new(agent => 'perl post'); For sub lfiexploit : Normal for /proc/self/environ exploitation my $agent = ""; For sub cmdlfi : Normal for /proc/self/environ exploitation my $hie = "j13mbut /dev/stdout"); ?>j13mbut"; $browser->agent("$hie"); After investigating my Honey Net weblogs for a period of one month, I got these different user agent targeting e107 exploits : http://eromang.zataz.com/uploads/e107_user_agents.txt You can find the default configured user agents : Mozilla/5.0 Mozilla/4.76 [ru] (X11; U; SunOS? 5.7 sun4u) perl post But also Casper user agents : Casper Bot Search MaMa? CaSpEr? And some new user agents : b3b4s Bot Search dex Bot Search Dex Bot Search kmccrew Bot Search plaNETWORK Bot Search rk q kangen sasqia Bot Search sledink Bot Search As you can see the user agents are only reflecting the "Crew" or "Team" how is using the "ByroeNet" scanner. Here some stats for the user agents : http://eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/ Casper Bot Search is really the more prolific user agent, but the others user agents must also be considered. For conclusion, the mutation of traditional RFI scanner is clearly demonstrated, and I don't think that such ET rules are really effective, cause each "Crew" or "Team" is dedicating they attacks by customising the user agents (same as a graffiti tagger). Emerging Threats rules shouldn't not focus on user agents but more on attack vectors, cause user agents are to volatile. Regards. -- MattJonkman - 14 Jul 2010
Topic revision: r3 - 2010-08-20 - MattJonkman
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © Emerging Threats