Snort mailing list archives
Re: Fwd: How to detect OS with Snort?
From: Kevin Ross <kevross33 () googlemail com>
Date: Wed, 9 May 2012 12:20:23 +0100
If is is indeed user agent you want to detect then do: alert tcp $EXTERNAL_NET any -> $HTTP_SERVER $HTTP_PORTS (msg:"Inbound Windows User Agent Detected"; flow:established,to_server; content:"Windows NT"; nocase; http_header; pcre:"/User\x2DAgent\x3A\x20[^\r\n]*Windows\x20NT/Hi"; classtype:bad-unknown; sid:191001; rev:1;) Now this signature should detect the Windows XP user agent accurately depending on your sensor placement (are you monitoring inside or outside interface of a firewall?), your snort configuration, if you can see the traffic (if it is IDS you need to SPAN the port to see the traffic etc). If you do snort -dev -i YOURINTERFACE or if you have tcpdump just tcpdump -i YOURINTERFACE to check you can see the traffic. Hope this helps you a bit. Kind Regards, Kevin Ross On 9 May 2012 11:51, Borja Luaces <borja.luaces () gmail com> wrote:
Hello all, This is a burp capture of the post request that the phisher could be using (this one has been created in a lab environment). As you can see, in the User-Agent field, we can find the OS that is supossed to be using. POST /DFAUTH/slod/validaENOB.jsp HTTP/1.1 Host: XXXXXX User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer:XXXXXX/local_enob/index-nico.html Cookie: PD_STATEFUL_f8965e46-de88-11e0-a137-0050568e208f=%2FENOB; PD-S-SESSION-ID=2_otTvVkNKOexXvR3-MevmOq3Lj04OyrUUHpXwWCmEjhy4KfIv Content-Type: application/x-www-form-urlencoded Content-Length: 132 origen=enob&eai_tipoCP=up&eai_URLDestino=&idioma=CAS&iconizable=N&eai_user=test_user&eai_password=test_p&selProductos=posicionGlobal The idea is launch an alert using that parameter. This is why I tried the rule: alert tcp any any -> any any (msg:""; content:"Windows NT"; ...) but seems no to work. I don not know if this could help a bit more. Thanks for your time -- Borja Luaces Altares Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA)
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: How to detect OS with Snort?, (continued)
- Message not available
- Fwd: How to detect OS with Snort? Borja Luaces (May 08)
- Re: Fwd: How to detect OS with Snort? Joel Esler (May 08)
- Re: Fwd: How to detect OS with Snort? Jason Haar (May 08)
- Re: Fwd: How to detect OS with Snort? waldo kitty (May 08)
- Re: Fwd: How to detect OS with Snort? Borja Luaces (May 08)
- Re: Fwd: How to detect OS with Snort? Kevin Ross (May 09)
- Re: Fwd: How to detect OS with Snort? Borja Luaces (May 09)
- Re: Fwd: How to detect OS with Snort? Peter Bates (May 09)
- Re: Fwd: How to detect OS with Snort? Paul Schmehl (May 09)
- Re: Fwd: How to detect OS with Snort? Borja Luaces (May 09)
- Re: Fwd: How to detect OS with Snort? Kevin Ross (May 09)
- Re: How to detect OS with Snort? Joel Esler (May 16)
- Re: How to detect OS with Snort? Olaf Schreck (May 16)
- Re: How to detect OS with Snort? Jason Haar (May 17)
- Re: How to detect OS with Snort? Borja Luaces (May 17)