Skip to content
Vulnity Vulnity Docs

Security Scanner Detection

Alert ID: scanner_detection MITRE ATT&CK: T1595 – Active Scanning · T1046 – Network Service Scanning

Severity / Criticality

Section titled “Severity / Criticality”
LevelCondition
LowInformation tools such as WhatWeb, curl, wget
MediumDirectory bruteforcers such as Gobuster/DirBuster, WAF detectors
HighVulnerability scanners such as Nikto, WPScan, Nessus, Acunetix
CriticalAutomated injection/exploitation tools such as SQLMap or Metasploit

Why is it considered malicious?

Section titled “Why is it considered malicious?”
  • Automated reconnaissance: often the first phase of a targeted attack.
  • Vulnerability discovery: broad mapping of exploitable vectors.
  • Attack preparation: inventory and prioritization of targets.
  • Possible automatic exploitation: scanner plus vulnerability can lead to imminent compromise.

When does the alert trigger?

Section titled “When does the alert trigger?”
  • User-Agent detection against more than 50 known patterns.
  • Behavioral analysis: bursts of 404s and sequential requests to common paths.
  • Severity increases if login attempts, malicious requests, or payloads are observed.
  • Cooldown: 5 minutes per IP/tool.
  • Automatic critical response for tools categorized as exploitation tools, such as SQLMap or Metasploit.

Technical Indicators (IOCs)

Section titled “Technical Indicators (IOCs)”
TypeExample
user_agentsqlmap/1.5.2#stable
user_agentMozilla/5.0 (compatible; Nmap Scripting Engine)
user_agentWPScan vX.Y.Z
user_agentNikto/X.Y.Z
behaviorMultiple 404s in <1 second against common paths
behaviorEnumeration patterns: /wp-admin/, /wp-login.php, .env, /backup/, wp-content/plugins/

Common false positives

Section titled “Common false positives”
  • Legitimate SEO crawlers and search engines.
  • Monitoring or uptime tools.
  • Contracted security services or authorized penetration tests.
  • Developers using curl, wget, or diagnostic tools.

!!! tip "" Always verify source IP, context such as time and ASN, and authorization before blocking.

Investigation steps

Section titled “Investigation steps”

  1. Analyze User-Agent and frequency:

    Terminal window
    grep -iE "nikto|sqlmap|wpscan|nmap" access.log

  2. List tested paths and count 404s:

    Terminal window
    awk '$9 == 404 {print $7}' access.log | sort | uniq -c | sort -nr

  3. Measure scope: scan duration, total requests, sizes, and patterns.

  4. Correlate with WAF/IDS data: triggered rules and previous blocks.

  5. For critical tools, assume active exploitation intent and escalate to urgent response.

Section titled “Recommended mitigations”

=== “Immediate”

!!! danger ""
    - Block IPs that combine suspicious User-Agents with scanning behavior.
    - Apply aggressive rate limiting and tarpitting for persistent sources.
    - Investigate urgently if the tool is SQLMap or Metasploit.
    - Deploy honeypots or fake endpoints to collect attacker TTPs.

=== “Preventive”

!!! tip ""
    Filter known User-Agents at the web-server level (Nginx):


    ```nginx
    if ($http_user_agent ~* (nikto|sqlmap|wpscan|nmap|acunetix)) {
        return 403;
    }
    ```


    - Implement tarpit/slowdown behavior for persistent scanners.
    - Return fake responses for administrative paths in unauthorized layers.
    - Use WAF/CloudFlare anti-scanner rules and global rate limiting.
    - Configure Fail2ban jails based on scanning patterns and 404 floods.

References

Section titled “References”
  • MITRE ATT&CK T1595 / T1046
  • SANS — Detecting Scanners and Reconnaissance
  • SecLists — common User-Agents and scan signatures