-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcustom-http-bad-useragent.yaml
More file actions
41 lines (41 loc) · 1.65 KB
/
Copy pathcustom-http-bad-useragent.yaml
File metadata and controls
41 lines (41 loc) · 1.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
type: leaky
name: <GITHUB-USER>/http-bad-useragent
description: "Detect known scanner/tool User-Agents (zgrab, masscan, nuclei, nikto, sqlmap, dirbuster, gobuster, etc.)"
filter: >
evt.Meta.service == 'http' &&
(
evt.Meta.http_user_agent contains 'zgrab' ||
evt.Meta.http_user_agent contains 'masscan' ||
evt.Meta.http_user_agent contains 'nuclei' ||
evt.Meta.http_user_agent contains 'nikto' ||
evt.Meta.http_user_agent contains 'sqlmap' ||
evt.Meta.http_user_agent contains 'dirbuster' ||
evt.Meta.http_user_agent contains 'gobuster' ||
evt.Meta.http_user_agent contains 'wfuzz' ||
evt.Meta.http_user_agent contains 'ffuf' ||
evt.Meta.http_user_agent contains 'feroxbuster' ||
evt.Meta.http_user_agent contains 'dirb' ||
evt.Meta.http_user_agent contains 'nmap' ||
evt.Meta.http_user_agent contains 'libwww-perl' ||
evt.Meta.http_user_agent contains 'Python-urllib' ||
evt.Meta.http_user_agent contains 'Go-http-client/1.1' ||
evt.Meta.http_user_agent contains 'WPScan' ||
evt.Meta.http_user_agent contains 'Acunetix' ||
evt.Meta.http_user_agent contains 'Nessus' ||
evt.Meta.http_user_agent contains 'OpenVAS' ||
evt.Meta.http_user_agent contains 'w3af' ||
evt.Meta.http_user_agent contains 'Havij' ||
evt.Meta.http_user_agent contains 'ZAP/'
)
groupby: evt.Meta.source_ip
leakspeed: "30s"
capacity: 2
blackhole: 5m
labels:
service: http
type: scan
remediation: true
confidence: 3
spoofable: 0
behavior: "http:scan"
label: "Known scanner User-Agent"