snort规矩之常见web缝隙扫描器
之前工作中建立开源IDS,架构是suricata+barnyard2+snort规矩。跟搭档测验写了一些常见web缝隙扫描器的规矩,共享出来。许多都是依据UA来辨认的,因而比较简单,或许也会有误报。
#Web app scan tools rules
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Sqlmap found"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| sqlmap"; classtype:web-application-attack; sid:90000001; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-Scan-Memo"; classtype:web-application-attack; sid:90000003; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"CustomCookie"; classtype:web-application-attack; sid:90000004; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-WIPP"; classtype:web-application-attack; sid:90000005; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Netsparker found"; content:"netsparker"; classtype:web-application-attack; sid:90000006; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Appscan found"; content:"Appscan"; classtype:web-application-attack; sid:90000007; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bugscan found"; content:"XSS@HERE"; classtype:web-application-attack; sid:90000008; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Nmap found"; content:"nmap"; classtype:web-application-attack; sid:90000009; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Awvscan found"; flow:to_server; content:"acunetix"; classtype:web-application-attack; sid:90000010; rev:11;)
#Web vul rules
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"%20and%201=1"; classtype:web-application-attack; sid:80000001; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found "; content:"%20and%201=2"; classtype:web-application-attack; sid:80000002; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union/**/"; classtype:web-application-attack; sid:80000003; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union select"; classtype:web-application-attack; sid:80000004; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; pcre:"/((%3C)|)/iU"; classtype:Web-application-attack; sid:80000005; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; uricontent:"; classtype:web-application-attack; sid:80000006; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"..boot.ini"; classtype:web-application-attack; sid:80000009; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"../../etc/passwd"; classtype:web-application-attack; sid:80000010; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; content:"eval($_POST["; classtype:web-application-attack; sid:80000011; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"echo system"; classtype:web-application-attack; sid:80000012; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"exec("; classtype:web-application-attack; sid:80000013; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|odragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/iU"; classtype:web-application-attack; sid:80000069; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/%00|%0b|%0d|%c0%ae|%0a/iU"; classtype:web-application-attack; sid:80000070; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bak File found"; flow:to_server,established; pcre:"/.(bak|inc|old|mdb|sql|backup|java|class)/isU"; classtype:web-application-attack; sid:80000071; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; flow:to_server,established; pcre:"/((.*)/(attachments|js|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(w+).(php|jsp))/iUs"; classtype:web-application-attack; sid:80000072; rev:11;)
[1] [2] [3] 黑客接单网
相关文章
我是怎么经过指令履行到终究获取内网Root权限的
你的子域名叫什么? 这一切都是从信息侦查开端的查找子域,解析为IP然后检查端口。不过这一次,我发现了一个较为古怪的主机名,并有一个应用程序正运行在64351端口上。这并不是咱们平常常见的web端口,需...
密码破译_找黑客盗qq一般多少钱-网上被骗找黑客有用吗
–script-args=<n1=v1,[n2=v2,...]>: 为脚本供给参数1)彻底封闭 Chrome 浏览器 printk(" Hello world!n");密码破译,找黑客盗q...
怎么找接单黑客_順風黑客那里找
无AFLSmart 在 AFL 的基础上,参照了 Peach 的 File Cracker 组件,将文件按 chunk 区分,笼统为一个可以用 xml 文件描述的树形的结构,如下图为一个 wav 格局...
望采纳,黑客找网络游戏漏洞,找黑客改黑彩数据库
依据这几天的经历,一个站点可能有几个不同的上传点,我再找找看,说不定有能打破的。 Signed Applet Attack运用java自签名的程序进行垂钓进犯; ASP代码使用表单(form)完...
id苹果,网上找黑客改成绩,花钱找黑客找回微信账号
《CLR via C#》Intruder(侵略)——一个定制的高度可装备的东西,对web运用程序进行主动化进犯, 3)whoamiroot@Kali:~#nmap -sV -T4 -O -F --v...
我也是在网络赌博输了几万,报警会对我有什么影响吗
成功利用此漏洞的攻击者可以在目标系统上执行任意代码。 然后攻击者可以安装程序; 查看,更改或删除数据; 或创建具有完全用户权限的新帐户。 安装配置Exchange Server,参考· https:/...
Copyright Your WebSite.Some Rights Reserved.
免责声明:本站所发布的任何网站,全部来源于互联网,版权争议与本站无关。仅供技术交流,如有侵权或不合适,请联系本人进行删除。不允许做任何非法用途!