Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Hack Tool User Agent

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Hack Tool User Agent

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Hack Tool User Agent
id: c42a3073-30fb-48ae-8c99-c23ada84b103
status: test
description: Detects suspicious user agent strings user by hack tools in proxy logs
references:
    - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-07-07
tags:
    - attack.initial-access
    - attack.t1190
    - attack.credential-access
    - attack.t1110
logsource:
    category: proxy
detection:
    selection:
        c-useragent|contains:
            # Vulnerability scanner and brute force tools
            - '(hydra)'
            - ' arachni/'
            - ' BFAC '
            - ' brutus '
            - ' cgichk '
            - 'core-project/1.0'
            - ' crimscanner/'
            - 'datacha0s'
            - 'dirbuster'
            - 'domino hunter'
            - 'dotdotpwn'
            - 'FHScan Core'
            - 'floodgate'
            - 'get-minimal'
            - 'gootkit auto-rooter scanner'
            - 'grendel-scan'
            - ' inspath '
            - 'internet ninja'
            - 'jaascois'
            - ' zmeu '
            - 'masscan'
            - ' metis '
            - 'morfeus fucking scanner'
            - 'n-stealth'
            - 'nsauditor'
            - 'pmafind'
            - 'security scan'
            - 'springenwerk'
            - 'teh forest lobster'
            - 'toata dragostea'
            - ' vega/'
            - 'voideye'
            - 'webshag'
            - 'webvulnscan'
            - ' whcc/'
            # SQL Injection
            - ' Havij'
            - 'absinthe'
            - 'bsqlbf'
            - 'mysqloit'
            - 'pangolin'
            - 'sql power injector'
            - 'sqlmap'
            - 'sqlninja'
            - 'uil2pn'
            # Hack tool
            - 'ruler'  # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'  # SQLi Dumper
    condition: selection
falsepositives:
    - Unknown
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/web/proxy_generic/proxy_ua_hacktool.yml