snort规矩之常见web缝隙扫描器
之前工作中建立开源IDS,架构是suricata+barnyard2+snort规矩。跟搭档测验写了一些常见web缝隙扫描器的规矩,共享出来。许多都是依据UA来辨认的,因而比较简单,或许也会有误报。
#Web app scan tools rules
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Sqlmap found"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| sqlmap"; classtype:web-application-attack; sid:90000001; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-Scan-Memo"; classtype:web-application-attack; sid:90000003; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"CustomCookie"; classtype:web-application-attack; sid:90000004; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-WIPP"; classtype:web-application-attack; sid:90000005; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Netsparker found"; content:"netsparker"; classtype:web-application-attack; sid:90000006; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Appscan found"; content:"Appscan"; classtype:web-application-attack; sid:90000007; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bugscan found"; content:"XSS@HERE"; classtype:web-application-attack; sid:90000008; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Nmap found"; content:"nmap"; classtype:web-application-attack; sid:90000009; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Awvscan found"; flow:to_server; content:"acunetix"; classtype:web-application-attack; sid:90000010; rev:11;)
#Web vul rules
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"%20and%201=1"; classtype:web-application-attack; sid:80000001; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found "; content:"%20and%201=2"; classtype:web-application-attack; sid:80000002; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union/**/"; classtype:web-application-attack; sid:80000003; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union select"; classtype:web-application-attack; sid:80000004; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; pcre:"/((%3C)|)/iU"; classtype:Web-application-attack; sid:80000005; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; uricontent:"; classtype:web-application-attack; sid:80000006; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"..boot.ini"; classtype:web-application-attack; sid:80000009; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"../../etc/passwd"; classtype:web-application-attack; sid:80000010; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; content:"eval($_POST["; classtype:web-application-attack; sid:80000011; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"echo system"; classtype:web-application-attack; sid:80000012; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"exec("; classtype:web-application-attack; sid:80000013; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|odragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/iU"; classtype:web-application-attack; sid:80000069; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/%00|%0b|%0d|%c0%ae|%0a/iU"; classtype:web-application-attack; sid:80000070; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bak File found"; flow:to_server,established; pcre:"/.(bak|inc|old|mdb|sql|backup|java|class)/isU"; classtype:web-application-attack; sid:80000071; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; flow:to_server,established; pcre:"/((.*)/(attachments|js|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(w+).(php|jsp))/iUs"; classtype:web-application-attack; sid:80000072; rev:11;)
[1] [2] [3] 黑客接单网
相关文章
免费黑客接单_大学生找黑客改分
char modifiable; /* The modifiable flag. */能够将 Windows PowerShell 指令的输入和输出捕获到根据文本的脚本中。 3月在这一年中,咱们发现S...
林正隆,找黑客帮我到qq,找黑客查看老公的微信聊天记录
想要编写Burp的插件,有必要运用BurpSuite所供给的API接口,不然你是无法编程的,不管你运用的何种言语,Java and python。 20...
黑客密码破解业务接单_去哪里找黑客合作
在介绍SharedArrayBuffers之前,我需求解说一下并行运转代码和JavaScript。 有向文件中增加如下内容: 电话号码是从哪里来的黑客密码破解业务接单,去哪里找黑客合作 · 运用多项高...
黑客在哪里可以接单,到哪里找黑客,找黑客攻略
Burp Suite 是用于进犯web 应用程序的集成渠道。 它包含了许多东西,并为这些东西规划了许多接口,以促进加速进犯应用程序的进程。 一切的东西都同享一个能处理并显现HTTP 音讯,持久性,认证...
黑客在线接单电话_苹果ld
postMessage会把你放入的任何目标序列化,然后发送到另一个web worker,反序列化并放入内存中,这是一个适当缓慢的进程。 黑客接单渠道这个含糊测验方针现已至少发现了一个security...
运用WinDbg调试Windows内核(二)
上篇文章介绍了windbg调试内核的根本环境设置以及一些根底调试技巧,这篇文章介绍一些windbg的高档调试技巧。 0×01运用断点盯梢数据 断点一般用在暂停某个咱们感兴趣的履行代码,例如当某个函数被...
Copyright Your WebSite.Some Rights Reserved.
免责声明:本站所发布的任何网站,全部来源于互联网,版权争议与本站无关。仅供技术交流,如有侵权或不合适,请联系本人进行删除。不允许做任何非法用途!