Category Archives: Use Cases

System Use Cases helping you to detect attacks against your infrastructures. These System Use Cases are classified by Attacker Classes (Opportunists, Targeting Opportunists, Professional or State Founded). This classification is inspired by Thierry Zoller work “Attacker Classes and Pyramid (Version 2)”.

SUC021 : Havij SQL Injection Tool User-Agent Inbound

Opportunists, Professional, Targeting Opportunists, Use Cases, ,
  • Use Case Reference : SUC021
  • Use Case Title : Havij SQL Injection Tool User-Agent Inbound
  • Use Case Detection : IDS / HTTP / SQL logs
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : Havij Advanced SQL Injection
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • Havij Advanced SQL Injection free version
  • Havij Advanced SQL Injection commercial version

Source(s) :

Snort rule :
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ZATAZ SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Havij"; nocase; http_header; reference:url,itsecteam.com/en/projects/project1.htm; threshold:type limit, count 1, seconds 30, track by_src; classtype:web-application-attack; priority:2; sid:1010051; rev:1;)
SIG 1010051 1 Week events activity
SIG 1010051 1 Week events activity
SIG 1010051 1 month events activity
SIG 1010051 1 month events activity

SUC020 : Potential FTP non anonymous Login and/or Brute-Force attempt

Opportunists, Targeting Opportunists, Use Cases
  • Use Case Reference : SUC020
  • Use Case Title : Potential FTP non anonymous Login and/or Brute-Force attempt
  • Use Case Detection : Firewall / IDS / FTP logs
  • Attacker Class : Opportunists / Targeting Opportunists
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : Random
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 21/TCP

Possible(s) correlation(s) :

  • FTP brute force bot.

Source(s) :

Emerging Threats SIG 2002383 triggers are :

  • The FTP server should return the error code “530” and the string “Login”, or the string “User”, or the string “Failed”, or the string “Not”.
  • The source port should be the port 21 of the HOME_NET FTP server in destination of an EXTERNAL_NET IP.
  • Alerts every 5 occurrences of the event targeting the same EXTERNAL_NET IP during 300 seconds.

Emerging Threats SIG 2003303 triggers are :

  • The string “USER” should be present.
  • The strings “PASS”, “anonymous” or “ftp” shouldn’t not be present.
  • The source IP should be part of EXTERNAL_NET in destination of HOME_NET ftp server on port 21.
  • Alert on every occurrence.
Emerging Threat SIG 2010643 triggers are :
  • The string “USER” should be present.
  • The string “administrator” should be present.
  • The source IP should be part of EXTERNAL_NET in destination of HOME_NET ftp server on port 21.
  • Alerts every 5 occurrences of the event targeting the same EXTERNAL_NET IP during 60 seconds.
SIG 2002383 1 Week events activity
SIG 2002383 1 Week events activity
SIG 2003303 1 Week events activity
SIG 2003303 1 Week events activity
SIG 2010643 1 Week events activity
SIG 2010643 1 Week events activity
SIG 2002383 1 month events activity
SIG 2002383 1 month events activity
SIG 2003303 1 month events activity
SIG 2003303 1 month events activity
SIG 2010643 1 month events activity
SIG 2010643 1 month events activity
1 Month TOP 10 source IPs for SIG 2002383
1 Month TOP 10 source IPs for SIG 2002383
1 Month TOP 10 source IPs for SIG 2003303
1 Month TOP 10 source IPs for SIG 2003303
1 Month TOP 10 source IPs for SIG 2010643
1 Month TOP 10 source IPs for SIG 2010643
TOP 20 source countries for SIG 2002383
TOP 20 source countries for SIG 2002383
TOP 20 source countries for SIG 2003303
TOP 20 source countries for SIG 2003303
TOP 20 source countries for SIG 2010643
TOP 20 source countries for SIG 2010643

SUC019 : Suspicious Inbound AlphaServer UA

Opportunists, Use Cases,
  • Use Case Reference : SUC019
  • Use Case Title : Suspicious Inbound AlphaServer UA
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists / Targeting Opportunists
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : Unknown
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

Web forums spam bot.

Source(s) :

Emerging Threats 2011517
Emerging Threats 2011518
Wikipedia Alphaserver
User-Agent Strings – MS IE – Full

Emerging Threats has release a two new SIGs 2011517“ET USER_AGENTS Suspicious Inbound AlphaServer UA” and 2011518“ET USER_AGENTS Suspicious Outbound AlphaServer UA” since 17 September 2010. These two new SIGs are focusing on suspicious user agents how shouldn’t being used by valid browsers today.

Emerging Threats SIG 2011517 create an alert if the user agent containing the string “Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)” is detected in an inbound destination of HTTP, or HTTPS. An alert will be sent on each occurrences.

Emerging Threats SIG 2011518 create an alert if the user agent containing the string “Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)” is detected in an outbound destination of HTTP, or HTTPS. An alert will be sent on each occurrences.

The sources are focusing web forums, doing registration and thread post attempt in short interval of time, this time interval is not humanly possible, it is clearly a bot.

Example :

74.118.193.13United States – 18 events in 20 seconds.

GET /forum/ HTTP/1.0
GET /forum/index.php HTTP/1.0
GET /forum/index.php?act=Reg&CODE=00&coppa_pass=1 HTTP/1.0
POST /forum/index.php?act=Reg&coppa_user=&termsread=1&coppa_pass=1 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
Members Display Name : Andreww3
PassWord : AEpRfH9415
PassWord Check: AEpRfH9415
Email Address : [email protected]
Email Address two : [email protected]
GET /forum/index.php?act=Login&CODE=00 HTTP/1.0
POST /forum/index.php?act=Login&CODE=01 HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?showforum=34 HTTP/1.0
GET /forum/index.php?act=post&do=new_post&f=34 HTTP/1.0
GET /forum/index.php?showforum=7 HTTP/1.0
GET /forum/index.php?showforum=7 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?act=post&do=new_post&f=34 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?showforum=19 HTTP/1.0
GET /forum/index.php?act=post&do=new_post&f=19 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?act=post&do=new_post&f=34 HTTP/1.0

AlphaServer UA SIG 2011517 1 Week events activities
AlphaServer UA SIG 2011517 1 Week events activities
AlphaServer UA SIG 2011517 1 month events activities
AlphaServer UA SIG 2011517 1 month events activities
1 Month TOP 10 source IPs for SIG 2011517
1 Month TOP 10 source IPs for SIG 2011517

SUC018 : Nikto Web App Scan in Progress

Opportunists, Professional, Targeting Opportunists, Use Cases
  • SUC018 : Nikto Web App Scan in Progress
  • Use Case Reference : SUC018
  • Use Case Title : Nikto2 Web App Scan in Progress
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : Nikto2 web scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • Nikto2

Source(s) :

Emerging Threats SIG 2002677 create an alert if the user agent contain the string “Nikto/xxxx” is detected (where xxx is representing the version of Nikto2) in destination of HTTP, or HTTPS. An alert will be sent after seeing 5 occurrences of events per 60 second, then will ignore any additional events during the 60 seconds.

Nikto2 is used, normally, to evaluate to security of Web servers. If you detect these kind of activities, you should add the attacker IP address to an “Aggressive Attacker” list for furthers trends and correlations.

Nikto2 web scanner SIG 2002677 1 Week events activities
Nikto2 web scanner SIG 2002677 1 Week events activities
Nikto2 web scanner SIG 2002677 1 month events activities
Nikto2 web scanner SIG 2002677 1 month events activities
Nikto2 web scanner SIG 2002677 1 year events activities
Nikto2 web scanner SIG 2002677 1 year events activities