Use Cases related to the professional attacker classe. This class represents digital mercenaries, sophisticated “hackers” that are targeting particular organisations and assets over a period of time. This class does not halt at low hanging fruits or a particular attack vector but tries to get to the goal whatever it takes, they are funded to a certain degree and their sophistication allows them to come up with new ways to attack assets or bypass exploit mitigation techniques.
Emerging Threats SIG 2002677 create an alert if the user agent contain the string “Nikto/xxxx” is detected (where xxx is representing the version of Nikto2) in destination of HTTP, or HTTPS. An alert will be sent after seeing 5 occurrences of events per 60 second, then will ignore any additional events during the 60 seconds.
Nikto2 is used, normally, to evaluate to security of Web servers. If you detect these kind of activities, you should add the attacker IP address to an “Aggressive Attacker” list for furthers trends and correlations.