LoFP / internal development or testing scripts. consider filtering by source ip if this is expected from certain systems.

Techniques

• t1595

Sample rules

Potential Hello-World Scraper Botnet Activity

• source: sigma
• technicques:
  • t1595

Description

Detects network traffic potentially associated with a scraper botnet variant that uses the “Hello-World/1.0” user-agent string.

Detection logic

condition: selection
selection:
  c-useragent: Hello-World/1.0
  cs-method: GET