alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Skipfish Web Application Scan Detected (2)"; content: "GET"; content: ".old"; content: "User-Agent"; content: "Mozilla/5.0 SF/"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010956; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001815; rev:2;)
-- Main.Sagan-Wiki-Add - 2015-10-21
New revisions of 5001815 will be below...
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Skipfish Web Application Scan Detected (2)"; content: "GET"; content: ".old"; content: "User-Agent"; content: "Mozilla/5.0 SF/"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010956; xbits: set,recon,track ip_src,expire 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001815; rev:3;)
-- Main.Sagan-Wiki-Add - 2021-4-12