snort规矩之常见web缝隙扫描器
之前工作中建立开源IDS,架构是suricata+barnyard2+snort规矩。跟搭档测验写了一些常见web缝隙扫描器的规矩,共享出来。许多都是依据UA来辨认的,因而比较简单,或许也会有误报。
#Web app scan tools rules
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Sqlmap found"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| sqlmap"; classtype:web-application-attack; sid:90000001; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-Scan-Memo"; classtype:web-application-attack; sid:90000003; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"CustomCookie"; classtype:web-application-attack; sid:90000004; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-WIPP"; classtype:web-application-attack; sid:90000005; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Netsparker found"; content:"netsparker"; classtype:web-application-attack; sid:90000006; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Appscan found"; content:"Appscan"; classtype:web-application-attack; sid:90000007; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bugscan found"; content:"XSS@HERE"; classtype:web-application-attack; sid:90000008; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Nmap found"; content:"nmap"; classtype:web-application-attack; sid:90000009; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Awvscan found"; flow:to_server; content:"acunetix"; classtype:web-application-attack; sid:90000010; rev:11;)
#Web vul rules
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"%20and%201=1"; classtype:web-application-attack; sid:80000001; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found "; content:"%20and%201=2"; classtype:web-application-attack; sid:80000002; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union/**/"; classtype:web-application-attack; sid:80000003; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union select"; classtype:web-application-attack; sid:80000004; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; pcre:"/((%3C)|)/iU"; classtype:Web-application-attack; sid:80000005; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; uricontent:"; classtype:web-application-attack; sid:80000006; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"..boot.ini"; classtype:web-application-attack; sid:80000009; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"../../etc/passwd"; classtype:web-application-attack; sid:80000010; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; content:"eval($_POST["; classtype:web-application-attack; sid:80000011; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"echo system"; classtype:web-application-attack; sid:80000012; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"exec("; classtype:web-application-attack; sid:80000013; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|odragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/iU"; classtype:web-application-attack; sid:80000069; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/%00|%0b|%0d|%c0%ae|%0a/iU"; classtype:web-application-attack; sid:80000070; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bak File found"; flow:to_server,established; pcre:"/.(bak|inc|old|mdb|sql|backup|java|class)/isU"; classtype:web-application-attack; sid:80000071; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; flow:to_server,established; pcre:"/((.*)/(attachments|js|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(w+).(php|jsp))/iUs"; classtype:web-application-attack; sid:80000072; rev:11;)
[1] [2] [3] 黑客接单网
相关文章
自己通过关系找到了微信上组织赌博的庄家,现在用
.text:0000000000466B15 imul esi, Spring Cloud Config 2.0.0 to 2.0.3修复办法.text:0000000000466AF9 add rd...
饭客-中国黑客
摘要:2018年共有430余万台计算机遭受勒索病毒进犯,12月进犯最盛。 支撑第一章,勒索病毒全体进犯态势 sudo apt install g++-4.4饭客,中国黑客 演示视频(YouTube):...
一款奇葩的PHP Webshell后门剖析
近来,360网站卫兵安全团队近期捕获一个依据PHP完成的webshell样本,其奇妙的代码动态生成方法,鄙陋的本身页面假装方法,让咱们在剖析这个样本的过程中感受到相当多的趣味。接下来就让咱们一起共...
黑客一般都在那里接单_怎么开宾馆
智能机器人是怎样打电话的或许你能够有一个无符号的Int16数组,它能够将其分化成16位,处理它就好像是处理一个无符号的整数。 以下是咱们的fuzzer protobuf标准的片段:2018年,勒索病毒...
温故知新:寻觅新缝隙,绕过JS沙箱的约束
在参加缝隙赏金方案的过程中,我发现了一个网站,其间包括十分风趣的功用——该网站答应我根据用户操控的表达式过滤掉一些数据。例如,我能够写出相似于book.price > 100这样的条件,并让该网...
黑客的联系方法qq号可以接单,黑龙江黑客联系方式,找国外黑客
可是,抛开进犯者不谈,在日常的代码研讨剖析中,对二进制文件的剖析运用是必不可少的,那么研讨者对二进制文件是不是没有办法呢? var data = datad.data;...
Copyright Your WebSite.Some Rights Reserved.
免责声明:本站所发布的任何网站,全部来源于互联网,版权争议与本站无关。仅供技术交流,如有侵权或不合适,请联系本人进行删除。不允许做任何非法用途!