- SUC018 : Nikto Web App Scan in Progress
- Use Case Reference : SUC018
- Use Case Title : Nikto2 Web App Scan in Progress
- Use Case Detection : IDS / HTTP logs
- Attacker Class : Opportunists / Targeting Opportunists / Professional
- Attack Sophistication : Unsophisticated / Low / Mid-High
- Identified tool(s) : Nikto2 web scanner
- Source IP(s) : Random
- Source Countries : Random
- Source Port(s) : Random
- Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
Emerging Threats SIG 2002677 create an alert if the user agent contain the string “Nikto/xxxx” is detected (where xxx is representing the version of Nikto2) in destination of HTTP, or HTTPS. An alert will be sent after seeing 5 occurrences of events per 60 second, then will ignore any additional events during the 60 seconds.
Nikto2 is used, normally, to evaluate to security of Web servers. If you detect these kind of activities, you should add the attacker IP address to an “Aggressive Attacker” list for furthers trends and correlations.