Hack Tool User Agent

Detects suspicious user agent strings user by hack tools in proxy logs

Rule Content

- title: Hack Tool User Agent
  id: c42a3073-30fb-48ae-8c99-c23ada84b103
  status: experimental
  description: Detects suspicious user agent strings user by hack tools in proxy logs
  references:
  - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
  - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
  author: Florian Roth
  logsource:
    category: proxy
    product: null
    service: null
  detection:
    selection:
      c-useragent:
      - '*(hydra)*'
      - '* arachni/*'
      - '* BFAC *'
      - '* brutus *'
      - '* cgichk *'
      - '*core-project/1.0*'
      - '* crimscanner/*'
      - '*datacha0s*'
      - '*dirbuster*'
      - '*domino hunter*'
      - '*dotdotpwn*'
      - FHScan Core
      - '*floodgate*'
      - '*get-minimal*'
      - '*gootkit auto-rooter scanner*'
      - '*grendel-scan*'
      - '* inspath *'
      - '*internet ninja*'
      - '*jaascois*'
      - '* zmeu *'
      - '*masscan*'
      - '* metis *'
      - '*morfeus fucking scanner*'
      - '*n-stealth*'
      - '*nsauditor*'
      - '*pmafind*'
      - '*security scan*'
      - '*springenwerk*'
      - '*teh forest lobster*'
      - '*toata dragostea*'
      - '* vega/*'
      - '*voideye*'
      - '*webshag*'
      - '*webvulnscan*'
      - '* whcc/*'
      - '* Havij'
      - '*absinthe*'
      - '*bsqlbf*'
      - '*mysqloit*'
      - '*pangolin*'
      - '*sql power injector*'
      - '*sqlmap*'
      - '*sqlninja*'
      - '*uil2pn*'
      - ruler
      - Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729
        Firefox/3.5.2 (.NET CLR 3.5.30729)
    condition: selection
  fields:
  - ClientIP
  - c-uri
  - c-useragent
  falsepositives:
  - Unknown
  level: high

Querying Elasticsearch

Import Libraries



In [ ]:

    
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client



In [ ]:

    
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query



In [ ]:

    
s = searchContext.query('query_string', query='c-useragent.keyword:(*\(hydra\)* OR *\ arachni\/* OR *\ BFAC\ * OR *\ brutus\ * OR *\ cgichk\ * OR *core\-project\/1.0* OR *\ crimscanner\/* OR *datacha0s* OR *dirbuster* OR *domino\ hunter* OR *dotdotpwn* OR FHScan\ Core OR *floodgate* OR *get\-minimal* OR *gootkit\ auto\-rooter\ scanner* OR *grendel\-scan* OR *\ inspath\ * OR *internet\ ninja* OR *jaascois* OR *\ zmeu\ * OR *masscan* OR *\ metis\ * OR *morfeus\ fucking\ scanner* OR *n\-stealth* OR *nsauditor* OR *pmafind* OR *security\ scan* OR *springenwerk* OR *teh\ forest\ lobster* OR *toata\ dragostea* OR *\ vega\/* OR *voideye* OR *webshag* OR *webvulnscan* OR *\ whcc\/* OR *\ Havij OR *absinthe* OR *bsqlbf* OR *mysqloit* OR *pangolin* OR *sql\ power\ injector* OR *sqlmap* OR *sqlninja* OR *uil2pn* OR ruler OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ pt\-PT;\ rv\:1.9.1.2\)\ Gecko\/20090729\ Firefox\/3.5.2\ \(.NET\ CLR\ 3.5.30729\))')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results



In [ ]:

    
df.head()