Category Archives: Professional

Use Cases related to the professional attacker classe. This class represents digital mercenaries, sophisticated “hackers” that are targeting particular organisations and assets over a period of time. This class does not halt at low hanging fruits or a particular attack vector but tries to get to the goal whatever it takes, they are funded to a certain degree and their sophistication allows them to come up with new ways to attack assets or bypass exploit mitigation techniques.

SUC022 : Sqlmap SQL Injection Scan User-Agent Inbound

Opportunists, Professional, Targeting Opportunists, Use Cases,
  • Use Case Reference : SUC022
  • Use Case Title : Sqlmap SQL Injection Scan User-Agent Inbound
  • Use Case Detection : IDS / HTTP / SQL logs
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : sqlmap automatic SQL injection and database takeover tool
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • sqlmap automatic SQL injection and database takeover tool.

Source(s) :

Emerging Threats SIG 2008538 triggers are :

  • The HTTP header should contain “sqlmap” User-Agent string. Example : “User-Agent: sqlmap/1.0-dev (http://sqlmap.sourceforge.net)
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2008538 1 Week events activity
SIG 2008538 1 Week events activity
SIG 2008538 1 month events activity
SIG 2008538 1 month events activity
1 Month TOP 10 source IPs for SIG 2008538
1 Month TOP 10 source IPs for SIG 2008538

SUC021 : Havij SQL Injection Tool User-Agent Inbound

Opportunists, Professional, Targeting Opportunists, Use Cases, ,
  • Use Case Reference : SUC021
  • Use Case Title : Havij SQL Injection Tool User-Agent Inbound
  • Use Case Detection : IDS / HTTP / SQL logs
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : Havij Advanced SQL Injection
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • Havij Advanced SQL Injection free version
  • Havij Advanced SQL Injection commercial version

Source(s) :

Snort rule :
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ZATAZ SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Havij"; nocase; http_header; reference:url,itsecteam.com/en/projects/project1.htm; threshold:type limit, count 1, seconds 30, track by_src; classtype:web-application-attack; priority:2; sid:1010051; rev:1;)
SIG 1010051 1 Week events activity
SIG 1010051 1 Week events activity
SIG 1010051 1 month events activity
SIG 1010051 1 month events activity

SUC018 : Nikto Web App Scan in Progress

Opportunists, Professional, Targeting Opportunists, Use Cases
  • SUC018 : Nikto Web App Scan in Progress
  • Use Case Reference : SUC018
  • Use Case Title : Nikto2 Web App Scan in Progress
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : Nikto2 web scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • Nikto2

Source(s) :

Emerging Threats SIG 2002677 create an alert if the user agent contain the string “Nikto/xxxx” is detected (where xxx is representing the version of Nikto2) in destination of HTTP, or HTTPS. An alert will be sent after seeing 5 occurrences of events per 60 second, then will ignore any additional events during the 60 seconds.

Nikto2 is used, normally, to evaluate to security of Web servers. If you detect these kind of activities, you should add the attacker IP address to an “Aggressive Attacker” list for furthers trends and correlations.

Nikto2 web scanner SIG 2002677 1 Week events activities
Nikto2 web scanner SIG 2002677 1 Week events activities
Nikto2 web scanner SIG 2002677 1 month events activities
Nikto2 web scanner SIG 2002677 1 month events activities
Nikto2 web scanner SIG 2002677 1 year events activities
Nikto2 web scanner SIG 2002677 1 year events activities

SUC009 : Activities on source port 500 destination port 500/UDP

Opportunists, Professional, Targeting Opportunists, Use Cases,
  • Use Case Reference : SUC009
  • Use Case Title : Activities on source port 500 destination port 500/UDP
  • Use Case Detection : Firewall / IDS
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : Possible ike-scan
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : 500/UDP
  • Destination Port(s) : 500/UDP

Possible(s) correlation(s) :

  • This UDP destination port is related to IKE isakmp. Often detected as an DoS attempt on Win2000.
  • ike-scan

Sources :

24 hours 500 destination port events
24 hours 500 destination port events
1 week destination port 500 event
1 week destination port 500 event
1 month destination port 500 events
1 month destination port 500 events
1 year destination port 500 events
1 year destination port 500 events
source ports repartition for destination port 500
source ports repartition for destination port 500
source countries repartition for destination port 500
source countries repartition for destination port 500