stamparm
commented
7 years ago There are lots of them. You can go through https://github.com/stamparm/maltrail/blob/master/sensor.py and search for HEURISTICS. In short:
1) Missing Host header in HTTP requests (this check is disabled by default)
2) Proxy "probe" detection (i.e. detection of HTTP requests containing full http://... URI as request path)
3) HTTP requests with suspicious User-agent header value (blacklist regexes can be found in misc/ua.txt)
4) Access to pages redirecting to (default) non-existent page of the web page provider (e.g. defaultwebpage.cgi)
5) Pages often accessed by web page scanners (e.g. inexistent_file_name.inexistent)
6) Potential web shell paths (e.g. albanianshell.php)
7) Potential SQL/XSS/FI/LDAP/XXE/PHP injection HTTP requests
8) Config file access
9) Potential remote code execution
10) Potential directory traversal
11) DNS sinkhole detection
12) Access to parked sites
13) Potential DNS exhaustion
14) Port scanning
15) Excessive NXDOMAIN traffic
16) Access to domains having large entropy or too many consonants in their name
17) Access to domains with large (sub)domain names
...
what are heuristic mechanisms in code that can detect unknown threats?