#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED
MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a|
MaMa? CaSpEr?|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011176; classtype:web-application-attack; sid:2011176; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2018-09-13 19:41:52 UTC
Added 2018-09-13 17:54:53 UTC
#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED
MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a|
MaMa? CaSpEr?|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011176; classtype:web-application-attack; sid:2011176; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2017-08-07 21:04:20 UTC
##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED
MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"User-Agent|3a|
MaMa? CaSpEr?|0D 0A|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011176; classtype:web-application-attack; sid:2011176; rev:4;)
Added 2011-10-12 19:31:29 UTC
##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED
MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"User-Agent|3a|
MaMa? CaSpEr?|0D 0A|"; nocase; http_header; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; sid:2011176; rev:4;)
Added 2011-09-14 22:44:54 UTC
##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED
MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"User-Agent|3a|
MaMa? CaSpEr?|0D 0A|"; nocase; http_header; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011176; rev:4;)
Added 2011-02-04 17:30:57 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a|
MaMa? CaSpEr?|0D 0A|"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Casper; sid:2011176; rev:4;)
Added 2010-07-29 19:30:58 UTC
All casper sigs at:
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Casper
--
MattJonkman - 20 Aug 2010
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER
MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a|
MaMa? CaSpEr?|0D 0A|"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011176; rev:3;)
Added 2010-07-29 14:16:22 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS
MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a|
MaMa? CaSpEr?|0D 0A|"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casper; sid:2011176; rev:2;)
Added 2010-07-26 11:52:24 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS
MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a|
MaMa? CaSpEr?|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENT_Casper_RFI_Bot; classtype:web-application-attack; sid:2011176; rev:1;)
Added 2010-07-08 19:31:10 UTC
Just to provide you more informations about these casper user agents.
These user agent are hard coded into the "ByroeNet" scanner dated from 17/06/2010
Source code of the scanner.
http://pastebin.com/zBUHC3d9
The scanner is an evolution of the
BaMbY? scanner dated from 28/05/2010
http://novie.fileave.com/rfi.txt
This new scanner was first seen on Internet the 17 Jun 2010 on t7.fileave.com/e107.txt, directly exploited after his creation.
http://www.google.com/search?q=%22%24powered%3D%22ByroeNet%22%3B%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a
More precisely this scanner is integrating in his "normal functionalities" a new functionality : e107 scanner.
The e107 (cmde107 - e107scan) scanner, with support of dorks, is trying to exploit the 24 May 2010 RCE discovered vulnerability.
http://www.exploit-db.com/exploits/12715/
But between his traditional RFI scanner and dorks, the scanner could also exploit the 31 May 2010 LFI discovered vulnerability.
http://www.exploit-db.com/exploits/12818/
The
ByroeNet? scanner is defining different user agents by default how are customisable
For sub cmdxml :
my $userAgent = LWP::UserAgent->new(agent => 'perl post');
For sub cmde107 :
$access->agent("Mozilla/5.0");
For sub e107scan :
$ua->agent('Mozilla/4.76 [ru] (X11; U;
SunOS? 5.7 sun4u)');
For sub xmlcek :
my $userAgent = LWP::UserAgent->new(agent => 'perl post');
For sub xmlxspread :
my $userAgent = LWP::UserAgent->new(agent => 'perl post');
For sub lfiexploit : Normal for /proc/self/environ exploitation
my $agent = "";
For sub cmdlfi : Normal for /proc/self/environ exploitation
my $hie = "j13mbut /dev/stdout"); ?>j13mbut";
$browser->agent("$hie");
After investigating my Honey Net weblogs for a period of one month, I got these different user agent targeting e107 exploits :
http://eromang.zataz.com/uploads/e107_user_agents.txt
You can find the default configured user agents :
Mozilla/5.0
Mozilla/4.76 [ru] (X11; U;
SunOS? 5.7 sun4u)
perl post
But also Casper user agents :
Casper Bot Search
MaMa? CaSpEr?
And some new user agents :
b3b4s Bot Search
dex Bot Search
Dex Bot Search
kmccrew Bot Search
plaNETWORK Bot Search
rk q kangen
sasqia Bot Search
sledink Bot Search
As you can see the user agents are only reflecting the "Crew" or "Team" how is using the "ByroeNet" scanner.
Here some stats for the user agents :
http://eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/
Casper Bot Search is really the more prolific user agent, but the others user agents must also be considered.
For conclusion, the mutation of traditional RFI scanner is clearly demonstrated, and I don't think that such ET rules are really effective,
cause each "Crew" or "Team" is dedicating they attacks by customising the user agents (same as a graffiti tagger).
Emerging Threats rules shouldn't not focus on user agents but more on attack vectors, cause user agents are to volatile.
Regards.
--
MattJonkman - 14 Jul 2010