I'm doing analysis against a company server that runs qualys. I'm looking for information or resources on what Qualys activity would look like in a pcap. How would you notice Qualys in Wireshark?
I see alot of GET requests that fail. GET /"><script>alert(document.domain... GET /Telerik.Wb.UI.Dialoghander.ashx?aspx?checkhandler=trueGET /NmConsole/platform GET /openapi/v2 GET WebLogic/....
^I believe this is a banner disclosure. If so it is likely all you would need in the pcap.
Does Qualys present itself in Header information always/purposefully? These appear to be clear signs of vulnerability scanning. Could I check Qualys signatures? Does Qualys use a specific port? Is there any way for me to, yes, I'm seeing Qualys specifically?
First; always open a ticket with the TAM as I am no Qualys Expert. If you are doing an OS Vulnerability scan you can get your TAM to open the PCAP Scan option. You can only scan one IP and you get a PCAP of the scan if that is something you desire.
Now for both OS Vulnerability Scan and for Web Application you can add "markers" that would tell your other tools it is a valid scanner other than an IP.
For example; I know in the WAS Module you have headers and I think on OS you can set. Say you want a header of
You can add that into the scan profile and that would be transmitted when Qualys is testing a web service. The X- would be generic and any web server/client would accept it but just ignore the content.
Let me know if that makes sense.
Retrieving data ...