snort规矩之常见web缝隙扫描器
之前工作中建立开源IDS,架构是suricata+barnyard2+snort规矩。跟搭档测验写了一些常见web缝隙扫描器的规矩,共享出来。许多都是依据UA来辨认的,因而比较简单,或许也会有误报。
#Web app scan tools rules
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Sqlmap found"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| sqlmap"; classtype:web-application-attack; sid:90000001; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-Scan-Memo"; classtype:web-application-attack; sid:90000003; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"CustomCookie"; classtype:web-application-attack; sid:90000004; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPWebInspect found"; content:"X-WIPP"; classtype:web-application-attack; sid:90000005; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Netsparker found"; content:"netsparker"; classtype:web-application-attack; sid:90000006; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Appscan found"; content:"Appscan"; classtype:web-application-attack; sid:90000007; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bugscan found"; content:"XSS@HERE"; classtype:web-application-attack; sid:90000008; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Nmap found"; content:"nmap"; classtype:web-application-attack; sid:90000009; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Awvscan found"; flow:to_server; content:"acunetix"; classtype:web-application-attack; sid:90000010; rev:11;)
#Web vul rules
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"%20and%201=1"; classtype:web-application-attack; sid:80000001; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found "; content:"%20and%201=2"; classtype:web-application-attack; sid:80000002; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union/**/"; classtype:web-application-attack; sid:80000003; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection found"; content:"union select"; classtype:web-application-attack; sid:80000004; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; pcre:"/((%3C)|)/iU"; classtype:Web-application-attack; sid:80000005; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xss found"; flow:to_server,established; uricontent:"; classtype:web-application-attack; sid:80000006; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"..boot.ini"; classtype:web-application-attack; sid:80000009; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Directory found"; content:"../../etc/passwd"; classtype:web-application-attack; sid:80000010; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; content:"eval($_POST["; classtype:web-application-attack; sid:80000011; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"echo system"; classtype:web-application-attack; sid:80000012; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Command Execution found"; content:"exec("; classtype:web-application-attack; sid:80000013; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|odragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/iU"; classtype:web-application-attack; sid:80000069; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CRLF found"; flow:to_server,established; pcre:"/%00|%0b|%0d|%c0%ae|%0a/iU"; classtype:web-application-attack; sid:80000070; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Bak File found"; flow:to_server,established; pcre:"/.(bak|inc|old|mdb|sql|backup|java|class)/isU"; classtype:web-application-attack; sid:80000071; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Webshell found"; flow:to_server,established; pcre:"/((.*)/(attachments|js|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(w+).(php|jsp))/iUs"; classtype:web-application-attack; sid:80000072; rev:11;)
[1] [2] [3] 黑客接单网
相关文章
怎样通过电话号码找人,网上找黑客改绩点被骗,找电脑黑客高手
private void ShowPort(HttpContext context) { context.Response.Write(Microsoft.Wi...
DEDE一些必要的修正,以进步安全性
榜首、装置的时分数据库的表前缀,最好改一下,不必dedecms默许的前缀dede_。 第二、后台登录敞开验证码功用,将默许管理员admin删去,改成一个自己专用的,复杂点的账号。 第三、装好程序后必...
手机怎么找人,在哪找黑客比较靠谱,逆向木马找黑客
http://wenzhou.acfun.tvLevel GoalPOST / HTTP/1.1a 装备文件XML隐写— —-抓包东西用fiddler为例。...
出名的黑客接单吗,网上找黑客被要求付定金,黑客找qq的视频下载
print 'response code: ' + str(r.status_code)尽管这个问题在06年就提出来了。 在11年的时分有了好几个优异的paper来研讨这个问题。 可是这个缝隙从来没有...
破解相册-中国安全网
运用下面指令能够获取或有可用的模块称号: url.mojom.Url opt_manifest_url);· 深圳普银区块链集团的根据茶的区块链项目以虚拟钱银“普银币”(普洱币,后改名为普银币)为幌子...
专业黑客接单一般多少钱_哪里能找黑客帮忙
有9月勒索病毒选用的传达手法和其他病毒相似,不过2018年度最为常用的进犯手法却是远程桌面弱口令暴力破解进犯,很多政企、个人用户反应的勒索病毒都是依据此进犯方法。 专业黑客接单一般多少钱,哪里能找黑客...
Copyright Your WebSite.Some Rights Reserved.
免责声明:本站所发布的任何网站,全部来源于互联网,版权争议与本站无关。仅供技术交流,如有侵权或不合适,请联系本人进行删除。不允许做任何非法用途!