Snort mailing list archives
html post question
From: Rich Adamson <radamson () routers com>
Date: Tue, 9 Dec 2003 08:20:55 -0600
Wonder if someone on the list might recognize the pkt content shown below. We're seeing a number of hosts posting spam via this request2.cgi perl script on RH9 with Apache. Two questions: 1. is this becoming a fairly common spamming method? 2. I'm assuming the perl script should be updated to validate the posted data (which it obviously is not now), correct? 3. If I were to write a rule to detect this, it would appear the only key content items are "POST" and the length of the packet (normally would not expect anything greater then about 500 bytes). Anyone spot other key info that could be used in a rule? Rich ADDR HEX ASCII 0040: 78 6d 50 4f 53 54 20 2f 63 67 69 2d 62 69 6e 2f | xmPOST /cgi-bin/ 0050: 72 65 71 75 65 73 74 32 2e 63 67 69 20 48 54 54 | request2.cgi HTT 0060: 50 2f 31 2e 30 0d 0a 52 65 66 65 72 65 72 3a 20 | P/1.0..Referer: 0070: 68 74 74 70 3a 2f 2f 77 77 77 2e 72 6f 75 74 65 | http://www.route 0080: 72 73 2e 63 6f 6d 2f 0d 0a 43 6f 6e 74 65 6e 74 | rs.com/..Content 0090: 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 | -Type: applicati 00a0: 6f 6e 2f 78 2d 77 77 77 2d 75 72 6c 2d 65 6e 63 | on/x-www-url-enc 00b0: 6f 64 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 | oded..Content-Le 00c0: 6e 67 74 68 3a 20 31 35 32 32 37 0d 0a 43 6f 6e | ngth: 15227..Con 00d0: 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c | nection: keep-al 00e0: 69 76 65 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 72 | ive..Host: www.r 00f0: 6f 75 74 65 72 73 2e 63 6f 6d 0d 0a 0d 0a 6e 68 | outers.com....nh 0100: 63 3d 42 61 6e 6b 69 6e 67 20 41 73 73 65 73 73 | c=Banking Assess 0110: 6d 65 6e 74 26 62 6c 3d 4e 65 74 20 50 65 72 66 | ment&bl=Net Perf 0120: 6f 72 6d 61 6e 63 65 26 66 72 61 3d 4e 65 74 44 | ormance&fra=NetD 0130: 6f 63 73 26 72 65 74 3d 4f 6e 2d 53 69 74 65 20 | ocs&ret=On-Site 0140: 54 72 61 69 6e 69 6e 67 26 73 74 61 3d 56 75 6c | Training&sta=Vul 0150: 6e 65 72 61 62 69 6c 69 74 79 20 41 73 73 65 73 | nerability Asses 0160: 73 6d 65 6e 74 26 6f 74 68 3d 4f 74 68 65 72 26 | sment&oth=Other& 0170: 4f 74 68 65 72 49 6e 66 6f 3d 66 72 65 64 64 79 | OtherInfo=freddy 0180: 38 30 38 40 77 77 77 2e 72 6f 75 74 65 72 73 2e | 808@www.routers. 0190: 63 6f 6d 26 6e 61 6d 65 3d 25 30 41 54 6f 25 33 | com&name=%0ATo%3 01a0: 41 2b 66 72 65 64 64 79 38 30 38 25 34 30 77 77 | A+freddy808%40ww 01b0: 77 25 32 45 72 6f 75 74 65 72 73 25 32 45 63 6f | w%2Erouters%2Eco 01c0: 6d 25 30 41 46 72 6f 6d 25 33 41 2b 41 64 6f 62 | m%0AFrom%3A+Adob 01d0: 65 50 68 6f 74 6f 73 68 6f 70 37 30 35 36 31 25 | ePhotoshop70561% 01e0: 34 30 71 75 69 6b 25 32 45 63 6f 6d 25 30 41 62 | 40quik%2Ecom%0Ab 01f0: 63 63 25 33 41 2b 79 74 6b 64 34 25 34 30 61 6f | cc%3A+ytkd4%40ao 0200: 6c 25 32 45 63 6f 6d 25 32 43 62 65 63 6b 6e 61 | l%2Ecom%2Cbeckna 0210: 74 61 6c 69 65 25 34 30 61 6f 6c 25 32 45 63 6f | talie%40aol%2Eco 0220: 6d 25 32 43 76 65 72 69 74 61 73 68 25 34 30 61 | m%2Cveritash%40a 0230: 6f 6c 25 32 45 63 6f 6d 25 32 43 69 6c 69 76 65 | ol%2Ecom%2Cilive 0240: 69 6e 74 68 65 74 76 25 34 30 61 6f 6c 25 32 45 | inthetv%40aol%2E 0250: 63 6f 6d 25 32 43 67 75 72 32 64 32 25 34 30 61 | com%2Cgur2d2%40a 0260: 6f 6c 25 32 45 63 6f 6d 25 32 43 6b 65 73 74 72 | ol%2Ecom%2Ckestr 0270: 61 32 31 36 31 25 34 30 61 6f 6c 25 32 45 63 6f | a2161%40aol%2Eco 0280: 6d 25 32 43 6e 79 6f 6e 63 6f 6c 6f 67 79 63 61 | m%2Cnyoncologyca 0290: 72 65 25 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 | re%40aol%2Ecom%2 02a0: 43 68 6a 6b 61 68 6c 25 34 30 61 6f 6c 25 32 45 | Chjkahl%40aol%2E 02b0: 63 6f 6d 25 32 43 66 72 6f 67 67 79 62 69 6b 65 | com%2Cfroggybike 02c0: 72 25 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 43 | r%40aol%2Ecom%2C 02d0: 74 65 68 37 34 34 25 34 30 61 6f 6c 25 32 45 63 | teh744%40aol%2Ec 02e0: 6f 6d 25 32 43 6a 72 6f 62 69 74 35 33 35 32 25 | om%2Cjrobit5352% 02f0: 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 43 64 6a | 40aol%2Ecom%2Cdj 0300: 61 63 65 31 32 25 34 30 61 6f 6c 25 32 45 63 6f | ace12%40aol%2Eco 0310: 6d 25 32 43 74 61 64 37 32 38 25 34 30 61 6f 6c | m%2Ctad728%40aol 0320: 25 32 45 63 6f 6d 25 32 43 71 75 65 77 77 74 25 | %2Ecom%2Cquewwt% 0330: 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 43 77 61 | 40aol%2Ecom%2Cwa 0340: 73 74 65 64 34 35 36 33 25 34 30 61 6f 6c 25 32 | sted4563%40aol%2 0350: 45 63 6f 6d 25 32 43 72 75 6d 6d 79 72 25 34 30 | Ecom%2Crummyr%40 0360: 61 6f 6c 25 32 45 63 6f 6d 25 32 43 6a 6f 68 6e | aol%2Ecom%2Cjohn 0370: 61 63 6b 69 6e 67 31 25 34 30 61 6f 6c 25 32 45 | acking1%40aol%2E 0380: 63 6f 6d 25 32 43 63 75 72 65 36 30 32 25 34 30 | com%2Ccure602%40 0390: 61 6f 6c 25 32 45 63 6f 6d 25 32 43 62 6f 62 77 | aol%2Ecom%2Cbobw 03a0: 37 33 25 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 | 73%40aol%2Ecom%2 <snip> 3b80: 6f 75 74 65 72 73 2e 63 6f 6d 26 70 68 6f 6e 65 | outers.com&phone 3b90: 3d 66 72 65 64 64 79 38 30 38 40 77 77 77 2e 72 | =freddy808@www.r 3ba0: 6f 75 74 65 72 73 2e 63 6f 6d 26 66 61 78 3d 66 | outers.com&fax=f 3bb0: 72 65 64 64 79 38 30 38 40 77 77 77 2e 72 6f 75 | reddy808 () www rou 3bc0: 74 65 72 73 2e 63 6f 6d 26 65 6d 61 69 6c 3d 66 | ters.com&email=f 3bd0: 72 65 64 64 79 38 30 38 40 77 77 77 2e 72 6f 75 | reddy808 () www rou 3be0: 74 65 72 73 2e 63 6f 6d 26 52 31 3d 53 65 61 72 | ters.com&R1=Sear 3bf0: 63 68 20 45 6e 67 69 6e 65 26 45 6e 67 69 6e 65 | ch Engine&Engine 3c00: 4e 61 6d 65 3d 66 72 65 64 64 79 38 30 38 40 77 | Name=freddy808@w 3c10: 77 77 2e 72 6f 75 74 65 72 73 2e 63 6f 6d 26 52 | ww.routers.com&R 3c20: 31 3d 53 61 6c 65 73 20 42 72 6f 63 68 75 72 65 | 1=Sales Brochure 3c30: 26 52 31 3d 52 65 66 65 72 72 61 6c 26 52 31 3d | &R1=Referral&R1= 3c40: 41 72 74 69 63 6c 65 26 52 31 3d 4f 74 68 65 72 | Article&R1=Other 3c50: 26 4f 74 68 65 72 32 3d 66 72 65 64 64 79 38 30 | &Other2=freddy80 3c60: 38 40 77 77 77 2e 72 6f 75 74 65 72 73 2e 63 6f | 8 () www routers co 3c70: 6d 26 3d 26 3d 53 65 6e 64 | m&=&=Send ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- html post question Rich Adamson (Dec 09)
- Re: html post question Matt Kettler (Dec 09)