System Use Cases helping you to detect attacks against your infrastructures. These System Use Cases are classified by Attacker Classes (Opportunists, Targeting Opportunists, Professional or State Founded). This classification is inspired by Thierry Zoller work “Attacker Classes and Pyramid (Version 2)”.
Emerging Threats has release a two new SIGs 2011517“ET USER_AGENTS Suspicious Inbound AlphaServer UA” and 2011518“ET USER_AGENTS Suspicious Outbound AlphaServer UA” since 17 September 2010. These two new SIGs are focusing on suspicious user agents how shouldn’t being used by valid browsers today.
Emerging Threats SIG 2011517 create an alert if the user agent containing the string “Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)” is detected in an inbound destination of HTTP, or HTTPS. An alert will be sent on each occurrences.
Emerging Threats SIG 2011518 create an alert if the user agent containing the string “Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)” is detected in an outbound destination of HTTP, or HTTPS. An alert will be sent on each occurrences.
The sources are focusing web forums, doing registration and thread post attempt in short interval of time, this time interval is not humanly possible, it is clearly a bot.
Example :
74.118.193.13 – United States – 18 events in 20 seconds.
GET /forum/ HTTP/1.0
GET /forum/index.php HTTP/1.0
GET /forum/index.php?act=Reg&CODE=00&coppa_pass=1 HTTP/1.0
POST /forum/index.php?act=Reg&coppa_user=&termsread=1&coppa_pass=1 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
Members Display Name : Andreww3
PassWord : AEpRfH9415
PassWord Check: AEpRfH9415
Email Address : [email protected]
Email Address two : [email protected]
GET /forum/index.php?act=Login&CODE=00 HTTP/1.0
POST /forum/index.php?act=Login&CODE=01 HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?showforum=34 HTTP/1.0
GET /forum/index.php?act=post&do=new_post&f=34 HTTP/1.0
GET /forum/index.php?showforum=7 HTTP/1.0
GET /forum/index.php?showforum=7 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?act=post&do=new_post&f=34 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?showforum=19 HTTP/1.0
GET /forum/index.php?act=post&do=new_post&f=19 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?act=post&do=new_post&f=34 HTTP/1.0
Emerging Threats SIG 2002677 create an alert if the user agent contain the string “Nikto/xxxx” is detected (where xxx is representing the version of Nikto2) in destination of HTTP, or HTTPS. An alert will be sent after seeing 5 occurrences of events per 60 second, then will ignore any additional events during the 60 seconds.
Nikto2 is used, normally, to evaluate to security of Web servers. If you detect these kind of activities, you should add the attacker IP address to an “Aggressive Attacker” list for furthers trends and correlations.