Dienstag, 3. Dezember 2013

Ruleset-Update: Apache OGNL Vulns, PHP/WP-Scanners

[+] new sigs:
  42000335 :: app_server.rules     :: DN APP_SERVER Java poss. OGNL-Injection / ActionSupport.getText in Request-Parameters
  42000336 :: scanner.rules        :: DN SCAN Apache Roller-Scan
  42000337 :: web_server.rules     :: DN WEB_SERVER PHP-CGI-Scan
  42000338 :: scanner.rules        :: DN SCAN WP-OptimizePress - Scan
  42000339 :: scanner.rules        :: DN SCAN WP-Content Themes-Scan

#
# sid: 42000335 |  date: 2013-12-03 - 22:49:18 | maker: lazydog
# http://security.coverity.com/advisory/2013/Oct/remote-code-execution-in-apache-roller-via-ognl-injection.html
MainRule "str:actionsupport.gettext" "msg:DN APP_SERVER Java poss. OGNL-Injection / ActionSupport.getText in Request-Parameters" "mz:URL|BODY|ARGS|$HEADERS_VAR:Cookie" "s:$ATTACK:8" id:42000335 ; 

#
# sid: 42000336 |  date: 2013-12-03 - 22:49:55 | maker: lazydog
# http://www.exploit-db.com/exploits/29859/
MainRule "str:/login.rol" "msg:DN SCAN Apache Roller-Scan" "mz:URL" "s:$UWA:8" id:42000336 ; 

#
# sid: 42000337 |  date: 2013-12-03 - 22:50:13 | maker: lazydog
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823
MainRule "str:/cgi-bin/php" "msg:DN WEB_SERVER PHP-CGI-Scan" "mz:URL" "s:$ATTACK:8" id:42000337 ; 


#
# sid: 42000338 |  date: 2013-12-03 - 22:50:35 | maker: lazydog
# http://www.reddit.com/r/netsec/comments/1rrftk/optimizepress_wordpress_theme_0day_found_actively/
# http://www.osirt.com/2013/11/wordpress-optimizepress-hack-file-upload-vulnerability/
MainRule "str:/wp-content/uploads/optpress/" "msg:DN SCAN WP-OptimizePress - Scan" "mz:URL" "s:$UWA:8" id:42000338 ; 


#
# sid: 42000339 |  date: 2013-12-03 - 22:50:50 | maker: lazydog
MainRule "str: /wp-content/themes/" "msg:DN SCAN WP-Content Themes-Scan" "mz:URL" "s:$UWA:8" id:42000339 ; 

Donnerstag, 31. Oktober 2013

Ruleset-Update: misc Scanner (Struts, Apache-Exploits)

[+] new sigs:
42000326 :: scanner.rules :: DN SCAN MASSCAN - UA Ddetected
42000327 :: app_server.rules :: DN APP_SERVER possible UPNP-Port-Manipulation
42000328 :: scanner.rules :: DN SCAN GestioIP Remote Code Execution - Scan
42000329 :: web_server.rules :: DN WEB_SERVER SSH-Homedir-Access
42000330 :: web_server.rules :: DN WEB_SERVER CONNECT-Request Attempt
42000331 :: web_server.rules :: DN WEB_SERVER ApacheStruts - Exploit-Scan
42000332 :: app_server.rules :: DN APP_SERVER Java.io.File in Request-Parameters
42000333 :: web_server.rules :: DN WEB_SERVER PHP-Opener ( <? ) found
42000334 :: web_server.rules :: DN WEB_SERVER CGI-BIN - Scan


https://bitbucket.org/lazy_dogtown/doxi-rules/src



Donnerstag, 17. Oktober 2013

Ruleset-Update: DLink Backdoor-Scan


[+] new sigs:
  42000325 :: web_server.rules     :: DN WEB_SERVER Dlink-Router Backdoor-Scan


#
# sid: 42000325 |  date: 2013-10-17 - 09:13:26 | maker: lazydog
#
# http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
# et: 2017590
# http://blog.erratasec.com/2013/10/that-dlink-bug-masscan.html

MainRule "str:xmlset_roodkcableoj28840ybtide" "msg:DN WEB_SERVER Dlink-Router Backdoor-Scan" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000325 ;


Freitag, 11. Oktober 2013

Rules-Update: vBulletin Exploit


[+] new sigs:
  42000321 :: scanner.rules        :: DN SCAN probably Malicous UA
  42000322 :: web_apps.rules       :: DN WEB_APPS Potential vBulletin Exploit (v5+)
  42000323 :: scanner.rules        :: DN SCAN vBulletinBoard-Scan
  42000324 :: web_apps.rules       :: DN WEB_APPS Potential vBulletin Exploit (v4+)

#
# sid: 42000321 |  date: 2013-10-12 - 00:30:51 | maker: lazydog
# 
# http://www.webmasterworld.com/search_engine_spiders/4058096.htm
# http://serverfault.com/questions/544523/apache-ddos-prevention/544531#544531
 
MainRule "str:mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1)" "msg:DN SCAN probably Malicous UA " "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000321; 
#
# sid: 42000322 |  date: 2013-10-12 - 00:31:23 | maker: lazydog
# 
# http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
# 
# http://www.vbulletin.org/forum/showthread.php?p=2443431
# 
# 
 
MainRule "str:/core/install/upgrade.php" "msg:DN WEB_APPS Potential vBulletin Exploit (v5+)" "mz:URL" "s:$UWA:8" id:42000322 ; 



#
# sid: 42000323 |  date: 2013-10-12 - 00:30:26 | maker: lazydog
# 
# http://www.vbulletin.org/forum/showthread.php?p=2443431
 
MainRule "str:/core/install/" "msg:DN SCAN vBulletinBoard-Scan " "mz:URL" "s:$UWA:8" id:42000323 ; 



#
# sid: 42000324 |  date: 2013-10-12 - 00:30:05 | maker: lazydog
# 
# http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
# 
# http://www.vbulletin.org/forum/showthread.php?p=2443431
 
MainRule "str:/install/upgrade.php" "msg:DN WEB_APPS Potential vBulletin Exploit (v4+)" "mz:URL" "s:$ATTACK:8" id:42000324 ; 


Montag, 7. Oktober 2013

Ruleset-Update: WHCMS - Exploit + JBOSS/Tomcat


[+] new sigs:
  42000318 :: web_server.rules     :: DN WEB_SERVER Possible WHMCS Exploit
  42000319 :: scanner.rules        :: DN SCAN Possible WHMCS - Scan
  42000320 :: app_server.rules     :: DN APP_SERVER Possible JBoss/Tomcat JMX InvokerServlet Auth Bypass Attempt


------------------


#
# sid: 42000318 |  date: 2013-10-07 - 22:07:29 | maker: lazydog
# 
# http://localhost.re/p/whmcs-527-vulnerability
 
MainRule "str:aes_encrypt" "msg:DN WEB_SERVER Possible WHMCS Exploit" "mz:BODY|ARGS" "s:$ATTACK:8" id:42000318 ; 

#
# sid: 42000319 |  date: 2013-10-07 - 22:07:53 | maker: lazydog
# 
# http://localhost.re/p/whmcs-527-vulnerability
 
MainRule "str:/register.php" "msg:DN SCAN Possible WHMCS - Scan" "mz:URL" "s:$UWA:8" id:42000319 ; 
#
# sid: 42000320 |  date: 2013-10-07 - 22:08:40 | maker: lazydog
# 
# http://packetstormsecurity.com/files/123510/9sg_ejb.txt
# sid 42000057
 
MainRule "str:/invoker/ejbinvokerservlet" "msg:DN APP_SERVER Possible JBoss/Tomcat JMX InvokerServlet Auth Bypass Attempt" "mz:URL|BODY" "s:$UWA:8" id:42000320 ; 


Freitag, 27. September 2013

Ruleset-Update: Wordpress-UA, probably Botnet-Attack?

[+] new sigs:
42000317 :: scanner.rules :: DN SCAN Wordpress-UA, probably Botnet-Attack



MainRule "str:wordpress/" "msg:DN SCAN Wordpress-UA, probably Botnet-Attack" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000317 ;


refs:

http://thehackernews.com/2013/09/thousands-of-wordpress-blogs.html
http://pastebin.com/NP64hTQr


Mittwoch, 25. September 2013

Ruleset-Updates / more scanner-rules

[+] new sigs:
42000309 :: scanner.rules :: DN SCAN Misformed Proxy-Scan
42000310 :: scanner.rules :: DN SCAN Abnormal double http:// in HTTP header,
42000311 :: scanner.rules :: DN SCAN poss. malicious Scanner using Fake UA Apache/Synapse
42000312 :: scanner.rules :: DN SCAN Havij-SQL_scanner
42000313 :: scanner.rules :: DN SCAN Joomlas Administrator-Login-Attempt
42000314 :: scanner.rules :: DN SCAN Joomla highlight.php PHP Object Injection
42000315 :: scanner.rules :: DN SCAN Generic Joomla /plugins/system - Scan
42000316 :: scanner.rules :: DN SCAN WinHttpRequest - UA

Samstag, 17. August 2013

Ruleset-Updates / SolusVM, HTTP-Smuggling, Joomla-Exploits/Java+Apache-Struts

[+] new sigs:
42000269 :: web_server.rules :: DN WEB_SERVER Possible Scan for SolusVM WHMCS Module 3.16 Vulnerability
42000270 :: web_server.rules :: DN WEB_SERVER Possible Fast-Track Tool Spidering User-Agent Detected
42000271 :: web_server.rules :: DN WEB_SERVER ForumSpammer Access
42000272 :: scanner.rules :: DN SCAN Arachni Scanner Web Scan (UA)
42000273 :: scanner.rules :: DN SCAN Arachni Web Scan (URL)
42000274 :: web_server.rules :: DN WEB_SERVER HTTP - Smuggling-Attempt (GET in Headers)
42000275 :: web_server.rules :: DN WEB_SERVER HTTP - Smuggling-Attempt (POST in Headers)
42000276 :: web_apps.rules :: DN WEB_APPS HTTP - Smuggling-Attempt (Proxy-GET in Headers)
42000277 :: web_server.rules :: DN WEB_SERVER HTTP - Smuggling-Attempt (Proxy-POST in Headers)
42000278 :: web_server.rules :: DN WEB_SERVER HTTP - Smuggling-Attempt (NewLine in URI)
42000279 :: web_server.rules :: DN WEB_SERVER HTTP Request Smuggling - Comma in Content-Type
42000280 :: web_server.rules :: DN WEB_SERVER HTTP Request Smuggling - Comma in Content-Length
42000282 :: web_server.rules :: DN WEB_SERVER HTTP Request Smuggling - Multiple Values in Transfer-Encoding
42000284 :: web_server.rules :: DN WEB_SERVER Open-Proxy-Scan
42000285 :: web_server.rules :: DN WEB_SERVER Joomla JCE-Exploit-Scan
42000286 :: app_server.rules :: DN APP_SERVER Apache Struts Possible OGNL Java ProcessBuilder URI
42000287 :: app_server.rules :: DN APP_SERVER Generic JAVA - Attempt - java.lang.Runtime in Request
42000288 :: app_server.rules :: DN APP_SERVER Generic JAVA - Attempt - getRuntime.exec() in Request
42000289 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI
42000290 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_regread Stored Procedure Via URI
42000291 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_regwrite Stored Procedure Via URI
42000292 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_regdeletevalue Stored Procedure Via URI
42000293 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_regdeletekey Stored Procedure Via URI
42000294 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI
42000295 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI
42000296 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI
42000297 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_enumdsn Stored Procedure Via URI
42000298 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQLxp_enumgroups Stored Procedure Via URI
42000299 :: web_server.rules :: DN WEB_SERVER Attempt To Access MSSQL xp_ntsec_enumdomains Stored Procedure Via URI
42000300 :: scanner.rules :: DN SCAN SQLNinja Attempt To Recreate xp_cmdshell Using sp_configure
42000301 :: web_server.rules :: DN WEB_SERVER SQLNinja Attempt To Create xp_cmdshell Session
42000302 :: web_server.rules :: DN WEB_SERVER AWSTATS - Access
42000303 :: web_server.rules :: DN WEB_SERVER AWSTATS - Access (2)
42000304 :: scanner.rules :: DN SCAN Spambot Windows-Live-Social-Object-Extractor-Engine
42000305 :: scanner.rules :: DN SCAN Possible HNAP-Exploit-Attempt
42000306 :: scanner.rules :: DN SCAN Morfeus - F*cking-Scanner
42000307 :: scanner.rules :: DN SCAN WP-Contents/Plugins Access
42000308 :: web_server.rules :: DN WEB_SERVER Base64Encoded phpinfo

Sonntag, 11. August 2013

DX-Console - central interface to distributed Naxsi-installations






DX-Console is a webbased Frontend to a mongodb-based Naxsi-database.
It should provide centralised monitoring, analysis and alerting (tbd) of a  set of distributed naxsi-sensors

Features:

  • centralised display of distributed naxsi-installations
  • dashboard for quick overview
  • latest events (kinda livelog) + marking of new events
  • alerts on new found url/ip/host
  • combined or standalone search for ips/naxsi-ids/hosts etc, e.g ip = x.x.x.x & host = www.example.com
  • free adjustable timerange-based filter, e.g. 1d/7d/42w, but also 7d-14d
  • audit your own ip; usefull when pentesting a site
  • ip-reputation-control / feed a list of your own ips and get alerts when suspicious requests are made from those ips
  • comprehensive status-display (tbf)
  • Mark events false-positive / delete from Event_DB
  • user-administration
  • rules_id based whitelist_generation
  • saved searches (saving search-terms and results) (tbf)
  • running agents that alert when given threshould are met, e.g. attacks/day  (tbf)
  • api-interface for agents (think nagios) (tbd)

  • flask-based application
  • modified nx_util
    • mongo-db for storing event-data
    • skip known events, thus enabling a shot-term cronjob for nx_util
  • fancy webX.0 - flat njustyle webscale js-only ajax based interface bootstrap-based interface


Screenshots


Dashboard



Dashboard-charts



Latest Events / Livelog w/ 1 new





Search & result



Search & Charts


combined Search / host + peer_ip




Search - add new terms from interface




Search - predefined Searches



Agents -Log



Alerts on new found IPs/URLS etc



Known Sigs Display



System-Messages



Basic Admin-Interface


DX-Console was inspired by Snorby and Splunk.




Montag, 8. Juli 2013

FUMP - In TestBed with Naxsi

 




fump.8ack.org is a Naxsi-Testbed with a handfull of vulnerable Test-apps  (see list & Links below)

Beside Naxsi-CoreRules you'll also find Doxi-Rules applied

Playground-Rules

If you manage to break in and access any information you shouldnt, please contact us via lazy.dogtown@gmail.com; if you dont reject it, you'll will be credited on the Credits-Section. If your finding leads to an improvement of naxsi you'll be given a tshirt (please allow 2 weeks shipping, if you're outside of europe) (First reporter only)

TestApps


Results


Please note, reports are statically generated every 15 minutes

Credits

  • Naxsi vs OWASP-Scan: 5:0

Contact & Links

  • lazy.dogtown@gmail.com
  • Naxsi: https://code.google.com/p/naxsi/
  • Doxi: https://bitbucket.org/lazy_dogtown/doxi-rules/src



Mittwoch, 26. Juni 2013

check_nginx_status - nagios-plugin to monitor output from HttpStubStatusModule


check_nginx_status is a Nagios-Plugin
to monitor nginx status and alerts on various values to test for

docs&downloads: https://bitbucket.org/maresystem/dogtown-nagios-plugins

Active Connections / 24hrs

Requests per Second / 24hrs

















Montag, 17. Juni 2013

Ruleset Update / 42000268 Possible SolusVM - Exploit-attempt

[+] new sigs:
  42000268 :: web_server.rules     :: DN WEB_SERVER Possible SolusVM - Exploit-attempt

 
MainRule "str:/centralbackup.php" "msg:DN WEB_SERVER Possible SolusVM - Exploit-attempt" "mz:URL" "s:$ATTACK:8" id:42000268 ; 


fo more information see
http://localhost.re/p/solusvm-11303-vulnerabilities
blog.soluslabs.com/2013/06/16/important-security-alert-new-update/
http://www.lowendbox.com/blog/a-days-recap-solusvm-exploit-released-ramnode-downtime-and-robert-clarke/

Mittwoch, 5. Juni 2013

rules-update: Plesk Apache Zeroday Remote Exploit - possible scan

[+] new sigs:
 
  42000262 :: web_server.rules     :: DN WEB_SERVER possible WP-Scan (wp-admin)
  42000261 :: web_server.rules     :: DN WEB_SERVER possible WP-Scan (wp-login)
  42000263 :: web_server.rules     :: DN WEB_SERVER .htaccess - Access
  42000264 :: web_server.rules     :: DN WEB_SERVER .htpasswd - Access
  42000265 :: web_server.rules     :: DN WEB_SERVER Plesk Apache Zeroday Remote Exploit - possible scan



Donnerstag, 28. Februar 2013

ruleset updates

[+] new sigs:
42000249 :: scanner.rules :: DN SCAN Webserver-Scanner DataCha0s
42000259 :: web_server.rules :: DN WEB_SERVER gzinflate in URI
42000258 :: scanner.rules :: DN SCAN Brutus - Scanner
42000253 :: web_server.rules :: DN WEB_SERVER possible INC - File - Access
42000252 :: web_server.rules :: DN WEB_SERVER possible CONF-File - Access
42000251 :: scanner.rules :: DN SCAN SQL-Injection-Scanner NV32ts
42000250 :: app_server.rules :: DN APP_SERVER JBOSS/JMX REMOTE WAR deployment attempt
42000257 :: web_server.rules :: DN WEB_SERVER /bin/sh in URI
42000256 :: scanner.rules :: DN SCAN Sumthin Scan
42000255 :: scanner.rules :: DN SCAN PHP Scan Precursor
42000254 :: web_server.rules :: DN WEB_SERVER possible INI - File - Access
42000260 :: malware.rules :: DN MALWARE possible FaTaLisTiCz_Fx - Access detected

Montag, 18. Februar 2013

ruleset - updates (PHPShell, UA-Injection)

[+] new sigs:
42000245 :: web_server.rules :: DN WEB_SERVER PHPShell - Access detected
42000246 :: web_server.rules :: DN WEB_SERVER UA-PHP-Injection
42000247 :: web_server.rules :: DN WEB_SERVER UA-PHP-Eval - Injection
42000248 :: web_server.rules :: DN WEB_SERVER UA-Base64_Decode-Injection


Freitag, 8. Februar 2013

doxi-tools in action


naxsi works like charme :)







ruleset - updates


[+] new sigs:
42000240 :: scanner.rules :: DN SCAN AB - ApacheBenchmark-Tool detected
42000241 :: scanner.rules :: DN SCAN MysqlDumper - Scanner
42000242 :: scanner.rules :: DN SCAN PHPPgAdmin - Scanner
42000243 :: scanner.rules :: DN SCAN PHPMyAdmin - Scanner
42000244 :: scanner.rules :: DN SCAN PHPMyAdmin - Scanner (2)


have pun!




Donnerstag, 24. Januar 2013

ruleset - update

[+] new sigs:
42000239 :: web_apps.rules :: DN WEB_APPS Typo3-JumpURL-Access
42000238 :: scanner.rules :: DN SCAN NMAP SQLSpider-Scan
42000235 :: malware.rules :: DN MALWARE C99-Shell SelfKill detected
42000234 :: malware.rules :: DN MALWARE Possible Webshell-Access
42000237 :: malware.rules :: DN MALWARE C99-Shell SelfKill detected
42000236 :: web_server.rules :: DN WEB_SERVER DoubleDot in URL

Donnerstag, 10. Januar 2013

doxi-tools in action


this is a screenshort from [ dx-result -x ], showing the 24hrs - event-summary on a nginx-reverse-proxy infront of 2 webapps with moderate traffic (approx 3000 visitiors/day)    





















screenshot from [ dx-result -i 42000122 ]  showing the 24hrs and part of the 7days - event-summary for that particular SID

































screenshot from [ dx-update -x ], showing 6 new rules that are available for this update














Mittwoch, 9. Januar 2013

ruleset-update / misc RAILS/ColdFusion - Vulns



download the complete rulesets:
https://bitbucket.org/lazy_dogtown/doxi-rules/src
[+] new sigs:
  42000228 :: web_server.rules     :: DN WEB_SERVER /etc/passwd encoded as Base64
  42000229 :: app_server.rules     :: DN APP_SERVER ColdFusion - Vuln-URL-Access administrator
  42000231 :: app_server.rules     :: DN APP_SERVER ColdFusion - Vuln-URL-Access componentutils
  42000230 :: app_server.rules     :: DN APP_SERVER ColdFusion - Vuln-URL-Access adminapi
  42000233 :: app_server.rules     :: DN APP_SERVER Possible RAILS - Exploit using type=symbol
  42000232 :: app_server.rules     :: DN APP_SERVER Possible RAILS - Exploit using type=yaml



Donnerstag, 3. Januar 2013

ruleset update


more scanner.rules

[+] new sigs:
42000187 :: scanner.rules :: DN SCAN Scanner Absinthe
42000204 :: scanner.rules :: DN SCAN Scanner Pavuk - Website Mirroring Tool for Off-line Analysis
42000206 :: scanner.rules :: DN SCAN Scanner SQL Power Injector SQL Injection
42000207 :: scanner.rules :: DN SCAN Scanner Sipvicious User-Agent Detected
42000200 :: scanner.rules :: DN SCAN Scanner Mysqloit - Mysql Injection Takover Tool
42000201 :: scanner.rules :: DN SCAN Scanner Netsparker
42000202 :: scanner.rules :: DN SCAN Netsparker-Scan in Progress
42000203 :: scanner.rules :: DN SCAN Scanner Paros Proxy Scanner
42000215 :: app_server.rules :: DN APP_SERVER Tomcat Auth Brute Force attempt (manager)
42000208 :: scanner.rules :: DN SCAN Scanner Sipvicious
42000209 :: scanner.rules :: DN SCAN Scanner Toata Scanner User-Agent Detected
42000189 :: scanner.rules :: DN SCAN Scanner Watchfire AppScan Web App Vulnerability Scanner
42000188 :: scanner.rules :: DN SCAN Acunetix-Scanner detected
42000211 :: app_server.rules :: DN APP_SERVER Tomcat Auth Brute Force attempt (tomcat)
42000210 :: app_server.rules :: DN APP_SERVER Tomcat Auth Brute Force attempt (admin)
42000194 :: scanner.rules :: DN SCAN Scanner DavTest WebDav Vulnerability Scanner
42000195 :: scanner.rules :: DN SCAN Scanner DirBuster Web App Scan
42000196 :: scanner.rules :: DN SCAN Scanner Grendel Web Scan
42000197 :: scanner.rules :: DN SCAN Scanner Httprecon Web Server Fingerprint Scan
42000190 :: scanner.rules :: DN SCAN Scanner AutoGetColumn
42000191 :: scanner.rules :: DN SCAN Scanner bsqlbf Brute Force SQL Injection
42000192 :: scanner.rules :: DN SCAN Scanner Cisco-torch
42000193 :: scanner.rules :: DN SCAN Scanner crimscanner
42000198 :: scanner.rules :: DN SCAN Scanner IBM NSA User Agent
42000199 :: scanner.rules :: DN SCAN Scanner Mini MySqlatOr SQL Injection
42000219 :: scanner.rules :: DN SCAN Scanner Python-urllib
42000218 :: scanner.rules :: DN SCAN Scanner WafWoof Web Application Firewall Detection Scan
42000205 :: scanner.rules :: DN SCAN Scanner SQL Injection Attempt (Agent uil2pn)
42000216 :: app_server.rules :: DN APP_SERVER Tomcat admin-admin login credentials
42000217 :: scanner.rules :: DN SCAN Tomcat upload from external source
42000222 :: scanner.rules :: DN SCAN Open-Proxy ScannerBot (webcollage-UA)
42000223 :: scanner.rules :: DN SCAN Scanner WebShag Web Application Scan
42000220 :: scanner.rules :: DN SCAN Scanner WebHack Control Center
42000221 :: scanner.rules :: DN SCAN Scanner Python-httplib
42000226 :: scanner.rules :: DN SCAN Scanner WITOOL SQL Injection Scan
42000227 :: scanner.rules :: DN SCAN Scanner ZmEu exploit scanner
42000224 :: scanner.rules :: DN SCAN Scanner Wikto Scan
42000225 :: scanner.rules :: DN SCAN Wikto Backend Data Miner Scan

rules-update

[+] new sigs:
42000175 :: scanner.rules :: DN SCAN Scanner wordpress hash grabber
42000186 :: scanner.rules :: DN SCAN Scanner / Broken UserAgent
42000185 :: scanner.rules :: DN SCAN Scanner t34mh4k
42000184 :: scanner.rules :: DN SCAN Scanner Fake GoogleBot
42000183 :: app_server.rules :: DN APP_SERVER Scanner neuralbot
42000182 :: scanner.rules :: DN SCAN Scanner gameboy
42000181 :: scanner.rules :: DN SCAN Scanner webster pro
42000180 :: scanner.rules :: DN SCAN Scanner picscout
42000179 :: scanner.rules :: DN SCAN Scanner digimarc webreader
42000165 :: scanner.rules :: DN SCAN Scanner kmccrew
42000164 :: scanner.rules :: DN SCAN Scanner casper
42000132 :: scanner.rules :: DN SCAN Scanner blackwidow
42000133 :: scanner.rules :: DN SCAN Scanner bwh3_user_agent
42000130 :: scanner.rules :: DN SCAN Scanner backdoor
42000131 :: scanner.rules :: DN SCAN Scanner bilbo
42000136 :: scanner.rules :: DN SCAN Scanner copyguard
42000137 :: scanner.rules :: DN SCAN Scanner copyrightcheck
42000134 :: scanner.rules :: DN SCAN Scanner cgichk
42000135 :: scanner.rules :: DN SCAN Scanner cherrypickernice
42000138 :: scanner.rules :: DN SCAN Scanner datacha0s
42000139 :: scanner.rules :: DN SCAN Scanner exploit
42000174 :: scanner.rules :: DN SCAN PHP-Injetion on UA
42000150 :: scanner.rules :: DN SCAN Scanner .nasl
42000151 :: scanner.rules :: DN SCAN Scanner whatweb
42000152 :: scanner.rules :: DN SCAN Scanner nsauditor
42000153 :: scanner.rules :: DN SCAN Scanner n-stealth
42000154 :: scanner.rules :: DN SCAN Scanner pmafind
42000155 :: scanner.rules :: DN SCAN Scanner poe-component-client
42000156 :: scanner.rules :: DN SCAN Scanner safexplorer
42000157 :: scanner.rules :: DN SCAN Scanner s.t.a.l.k.e.r
42000158 :: scanner.rules :: DN SCAN Scanner webinspect
42000159 :: scanner.rules :: DN SCAN Scanner webmole
42000176 :: scanner.rules :: DN SCAN Scanner chinaclaw
42000173 :: scanner.rules :: DN SCAN Scanner SkipFish
42000170 :: scanner.rules :: DN SCAN Scanner sqlmap
42000178 :: scanner.rules :: DN SCAN Scanner w3af
42000171 :: scanner.rules :: DN SCAN Scanner whisker
42000177 :: scanner.rules :: DN SCAN Scanner n-stealth
42000169 :: scanner.rules :: DN SCAN Scanner Nmap
42000168 :: scanner.rules :: DN SCAN Scanner Springenwerk
42000127 :: scanner.rules :: DN SCAN Scanner Amiga-Aweb
42000172 :: scanner.rules :: DN SCAN Scanner XSSS (probably)
42000161 :: scanner.rules :: DN SCAN Scanner siphon
42000160 :: scanner.rules :: DN SCAN Scanner core-project
42000163 :: scanner.rules :: DN SCAN Scanner twengabot
42000162 :: scanner.rules :: DN SCAN Scanner autoemailspider
42000129 :: scanner.rules :: DN SCAN Scanner atomic_email_hunter
42000128 :: scanner.rules :: DN SCAN Nessus-Scanner detected
42000167 :: scanner.rules :: DN SCAN Scanner Acunetix
42000166 :: scanner.rules :: DN SCAN Scanner planetwork
42000143 :: scanner.rules :: DN SCAN Scanner internet-exprorer
42000142 :: scanner.rules :: DN SCAN Scanner gameboy
42000141 :: scanner.rules :: DN SCAN Scanner fantombrowser
42000140 :: scanner.rules :: DN SCAN Scanner extractor
42000147 :: scanner.rules :: DN SCAN Scanner mosiac
42000146 :: scanner.rules :: DN SCAN Scanner morzilla
42000145 :: scanner.rules :: DN SCAN Scanner morfeus
42000144 :: scanner.rules :: DN SCAN Scanner jaascois
42000149 :: scanner.rules :: DN SCAN Scanner nameofagent
42000148 :: scanner.rules :: DN SCAN Scanner murzillo

doxi-tools 0.2 released

doxi-tools are now available in v0.2, see
https://bitbucket.org/lazy_dogtown/doxi for details
and Changelog for whats new.

the main change: the ruleset itself is now a separate
git-repo for more flexibility, see
https://bitbucket.org/lazy_dogtown/doxi-rules