Previously I wrote a blog post about the ByroeNet/Casper-Like bot scanners, and adapted some ET rules in order to detect these bots activities.

The 1010041 rule focus on all “MaMa” scanners (MaMa CaSpEr, MaMa CyBer, MaMa ebes, etc.), the 1010040 rule focus on all “Bot Search” scanners (b3b4s, Casper, dex, Jcomers, kmccrew, plaNETWORK, sasqia, sledink, etc.) and the ET 2011244 rule focus on all “sun4u” scanners (Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u), etc.).

Until first August the rules where under testing, so the previous values are incorrect.

Here under you can find real time graphs for the 3 different rules.

Monthly event activity for rule 1010040

Monthly event activity for rule 1010040

Monthly event activity for rule 1010041

Monthly event activity for rule 1010041

Monthly event activity for rule 2011244

Monthly event activity for rule 2011244

Montly TOP 10 Source IPs for rule 1010040

Montly TOP 10 Source IPs for rule 1010040

Montly TOP 10 Source IPs for rule 1010041

Montly TOP 10 Source IPs for rule 1010041

Montly TOP 10 Source IPs for rule 2011244

Montly TOP 10 Source IPs for rule 2011244