Category Archives: Targeting Opportunists

Use Cases related to the targeting opportunists attacker class. This class represents a more targeted focused group of Opportunists, they don’t scan and probe the internet and stop as soon as they stumble across something interesting. They target one organisation in an opportunistic way. Meaning they will mass scan a particular organisation continuously looking for weak spots.

SUC023 : WebHack Control Center User-Agent Inbound (WHCC/)

  • Use Case Reference : SUC023
  • Use Case Title : WebHack Control Center User-Agent Inbound (WHCC/)
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists / Targeting Opportunists 
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : WebHack Control Center Web server vulnerability scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • WebHack Control Center Web server vulnerability scanner

Source(s) :

Emerging Threats SIG 2003924 triggers are :

  • The HTTP header should contain “WHCC” User-Agent string. Example : “User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; WHCC/0.6; GTB6.6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C)
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2003924 1 Week events activity
SIG 2003924 1 Week events activity
SIG 2003924 1 month events activity
SIG 2003924 1 month events activity
1 Month TOP 10 source IPs for SIG 2003924
1 Month TOP 10 source IPs for SIG 2003924

SUC022 : Sqlmap SQL Injection Scan User-Agent Inbound

  • Use Case Reference : SUC022
  • Use Case Title : Sqlmap SQL Injection Scan User-Agent Inbound
  • Use Case Detection : IDS / HTTP / SQL logs
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : sqlmap automatic SQL injection and database takeover tool
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • sqlmap automatic SQL injection and database takeover tool.

Source(s) :

Emerging Threats SIG 2008538 triggers are :

  • The HTTP header should contain “sqlmap” User-Agent string. Example : “User-Agent: sqlmap/1.0-dev (http://sqlmap.sourceforge.net)
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2008538 1 Week events activity
SIG 2008538 1 Week events activity
SIG 2008538 1 month events activity
SIG 2008538 1 month events activity
1 Month TOP 10 source IPs for SIG 2008538
1 Month TOP 10 source IPs for SIG 2008538

SUC021 : Havij SQL Injection Tool User-Agent Inbound

  • Use Case Reference : SUC021
  • Use Case Title : Havij SQL Injection Tool User-Agent Inbound
  • Use Case Detection : IDS / HTTP / SQL logs
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : Havij Advanced SQL Injection
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • Havij Advanced SQL Injection free version
  • Havij Advanced SQL Injection commercial version

Source(s) :

Snort rule :
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ZATAZ SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Havij"; nocase; http_header; reference:url,itsecteam.com/en/projects/project1.htm; threshold:type limit, count 1, seconds 30, track by_src; classtype:web-application-attack; priority:2; sid:1010051; rev:1;)
SIG 1010051 1 Week events activity
SIG 1010051 1 Week events activity
SIG 1010051 1 month events activity
SIG 1010051 1 month events activity

SUC020 : Potential FTP non anonymous Login and/or Brute-Force attempt

  • Use Case Reference : SUC020
  • Use Case Title : Potential FTP non anonymous Login and/or Brute-Force attempt
  • Use Case Detection : Firewall / IDS / FTP logs
  • Attacker Class : Opportunists / Targeting Opportunists
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : Random
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 21/TCP

Possible(s) correlation(s) :

  • FTP brute force bot.

Source(s) :

Emerging Threats SIG 2002383 triggers are :

  • The FTP server should return the error code “530” and the string “Login”, or the string “User”, or the string “Failed”, or the string “Not”.
  • The source port should be the port 21 of the HOME_NET FTP server in destination of an EXTERNAL_NET IP.
  • Alerts every 5 occurrences of the event targeting the same EXTERNAL_NET IP during 300 seconds.

Emerging Threats SIG 2003303 triggers are :

  • The string “USER” should be present.
  • The strings “PASS”, “anonymous” or “ftp” shouldn’t not be present.
  • The source IP should be part of EXTERNAL_NET in destination of HOME_NET ftp server on port 21.
  • Alert on every occurrence.
Emerging Threat SIG 2010643 triggers are :
  • The string “USER” should be present.
  • The string “administrator” should be present.
  • The source IP should be part of EXTERNAL_NET in destination of HOME_NET ftp server on port 21.
  • Alerts every 5 occurrences of the event targeting the same EXTERNAL_NET IP during 60 seconds.
SIG 2002383 1 Week events activity
SIG 2002383 1 Week events activity
SIG 2003303 1 Week events activity
SIG 2003303 1 Week events activity
SIG 2010643 1 Week events activity
SIG 2010643 1 Week events activity
SIG 2002383 1 month events activity
SIG 2002383 1 month events activity
SIG 2003303 1 month events activity
SIG 2003303 1 month events activity
SIG 2010643 1 month events activity
SIG 2010643 1 month events activity
1 Month TOP 10 source IPs for SIG 2002383
1 Month TOP 10 source IPs for SIG 2002383
1 Month TOP 10 source IPs for SIG 2003303
1 Month TOP 10 source IPs for SIG 2003303
1 Month TOP 10 source IPs for SIG 2010643
1 Month TOP 10 source IPs for SIG 2010643
TOP 20 source countries for SIG 2002383
TOP 20 source countries for SIG 2002383
TOP 20 source countries for SIG 2003303
TOP 20 source countries for SIG 2003303
TOP 20 source countries for SIG 2010643
TOP 20 source countries for SIG 2010643