Question: How does one trigger the web-attack rules? #102
Description
I have some of the sagan rulesets imported by default on my system, and I'm raising some false alerts on messages containing the content that the rules are checking for.
I want to know what a real web-attack message would look like so I can distinguish it from my false alerts:
this is the rule in particular that I'm interested in:
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Suspicious User-Agent Containing Web Scan/er, Likely Web Scanner"; content: "User-Agent"; content: "web"; nocase;distance: 1; within: 100; content:"scan"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010088; xbits: set,recon,track ip_src,expire 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; content: !"scandal"; classtype:attempted-recon; sid:5001821; rev:4;)
from here: https://github.com/quadrantsec/sagan-rules/blob/main/web-attack.rules#L73