Snort mailing list archives

Previous By Date Next
Previous By Thread Next

html post question

From: Rich Adamson <radamson () routers com>
Date: Tue, 9 Dec 2003 08:20:55 -0600
Wonder if someone on the list might recognize the pkt content shown 
below. We're seeing a number of hosts posting spam via this 
request2.cgi perl script on RH9 with Apache. Two questions:
1. is this becoming a fairly common spamming method?
2. I'm assuming the perl script should be updated to validate the
   posted data (which it obviously is not now), correct?
3. If I were to write a rule to detect this, it would appear the only
   key content items are "POST" and the length of the packet (normally
   would not expect anything greater then about 500 bytes). Anyone
   spot other key info that could be used in a rule?

Rich


ADDR  HEX                                               ASCII
0040: 78 6d 50 4f 53 54 20 2f 63 67 69 2d 62 69 6e 2f | xmPOST /cgi-bin/
0050: 72 65 71 75 65 73 74 32 2e 63 67 69 20 48 54 54 | request2.cgi HTT
0060: 50 2f 31 2e 30 0d 0a 52 65 66 65 72 65 72 3a 20 | P/1.0..Referer: 
0070: 68 74 74 70 3a 2f 2f 77 77 77 2e 72 6f 75 74 65 | http://www.route
0080: 72 73 2e 63 6f 6d 2f 0d 0a 43 6f 6e 74 65 6e 74 | rs.com/..Content
0090: 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 | -Type: applicati
00a0: 6f 6e 2f 78 2d 77 77 77 2d 75 72 6c 2d 65 6e 63 | on/x-www-url-enc
00b0: 6f 64 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 | oded..Content-Le
00c0: 6e 67 74 68 3a 20 31 35 32 32 37 0d 0a 43 6f 6e | ngth: 15227..Con
00d0: 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c | nection: keep-al
00e0: 69 76 65 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 72 | ive..Host: www.r
00f0: 6f 75 74 65 72 73 2e 63 6f 6d 0d 0a 0d 0a 6e 68 | outers.com....nh
0100: 63 3d 42 61 6e 6b 69 6e 67 20 41 73 73 65 73 73 | c=Banking Assess
0110: 6d 65 6e 74 26 62 6c 3d 4e 65 74 20 50 65 72 66 | ment&bl=Net Perf
0120: 6f 72 6d 61 6e 63 65 26 66 72 61 3d 4e 65 74 44 | ormance&fra=NetD
0130: 6f 63 73 26 72 65 74 3d 4f 6e 2d 53 69 74 65 20 | ocs&ret=On-Site 
0140: 54 72 61 69 6e 69 6e 67 26 73 74 61 3d 56 75 6c | Training&sta=Vul
0150: 6e 65 72 61 62 69 6c 69 74 79 20 41 73 73 65 73 | nerability Asses
0160: 73 6d 65 6e 74 26 6f 74 68 3d 4f 74 68 65 72 26 | sment&oth=Other&
0170: 4f 74 68 65 72 49 6e 66 6f 3d 66 72 65 64 64 79 | OtherInfo=freddy
0180: 38 30 38 40 77 77 77 2e 72 6f 75 74 65 72 73 2e | 808@www.routers.
0190: 63 6f 6d 26 6e 61 6d 65 3d 25 30 41 54 6f 25 33 | com&name=%0ATo%3
01a0: 41 2b 66 72 65 64 64 79 38 30 38 25 34 30 77 77 | A+freddy808%40ww
01b0: 77 25 32 45 72 6f 75 74 65 72 73 25 32 45 63 6f | w%2Erouters%2Eco
01c0: 6d 25 30 41 46 72 6f 6d 25 33 41 2b 41 64 6f 62 | m%0AFrom%3A+Adob
01d0: 65 50 68 6f 74 6f 73 68 6f 70 37 30 35 36 31 25 | ePhotoshop70561%
01e0: 34 30 71 75 69 6b 25 32 45 63 6f 6d 25 30 41 62 | 40quik%2Ecom%0Ab
01f0: 63 63 25 33 41 2b 79 74 6b 64 34 25 34 30 61 6f | cc%3A+ytkd4%40ao
0200: 6c 25 32 45 63 6f 6d 25 32 43 62 65 63 6b 6e 61 | l%2Ecom%2Cbeckna
0210: 74 61 6c 69 65 25 34 30 61 6f 6c 25 32 45 63 6f | talie%40aol%2Eco
0220: 6d 25 32 43 76 65 72 69 74 61 73 68 25 34 30 61 | m%2Cveritash%40a
0230: 6f 6c 25 32 45 63 6f 6d 25 32 43 69 6c 69 76 65 | ol%2Ecom%2Cilive
0240: 69 6e 74 68 65 74 76 25 34 30 61 6f 6c 25 32 45 | inthetv%40aol%2E
0250: 63 6f 6d 25 32 43 67 75 72 32 64 32 25 34 30 61 | com%2Cgur2d2%40a
0260: 6f 6c 25 32 45 63 6f 6d 25 32 43 6b 65 73 74 72 | ol%2Ecom%2Ckestr
0270: 61 32 31 36 31 25 34 30 61 6f 6c 25 32 45 63 6f | a2161%40aol%2Eco
0280: 6d 25 32 43 6e 79 6f 6e 63 6f 6c 6f 67 79 63 61 | m%2Cnyoncologyca
0290: 72 65 25 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 | re%40aol%2Ecom%2
02a0: 43 68 6a 6b 61 68 6c 25 34 30 61 6f 6c 25 32 45 | Chjkahl%40aol%2E
02b0: 63 6f 6d 25 32 43 66 72 6f 67 67 79 62 69 6b 65 | com%2Cfroggybike
02c0: 72 25 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 43 | r%40aol%2Ecom%2C
02d0: 74 65 68 37 34 34 25 34 30 61 6f 6c 25 32 45 63 | teh744%40aol%2Ec
02e0: 6f 6d 25 32 43 6a 72 6f 62 69 74 35 33 35 32 25 | om%2Cjrobit5352%
02f0: 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 43 64 6a | 40aol%2Ecom%2Cdj
0300: 61 63 65 31 32 25 34 30 61 6f 6c 25 32 45 63 6f | ace12%40aol%2Eco
0310: 6d 25 32 43 74 61 64 37 32 38 25 34 30 61 6f 6c | m%2Ctad728%40aol
0320: 25 32 45 63 6f 6d 25 32 43 71 75 65 77 77 74 25 | %2Ecom%2Cquewwt%
0330: 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 43 77 61 | 40aol%2Ecom%2Cwa
0340: 73 74 65 64 34 35 36 33 25 34 30 61 6f 6c 25 32 | sted4563%40aol%2
0350: 45 63 6f 6d 25 32 43 72 75 6d 6d 79 72 25 34 30 | Ecom%2Crummyr%40
0360: 61 6f 6c 25 32 45 63 6f 6d 25 32 43 6a 6f 68 6e | aol%2Ecom%2Cjohn
0370: 61 63 6b 69 6e 67 31 25 34 30 61 6f 6c 25 32 45 | acking1%40aol%2E
0380: 63 6f 6d 25 32 43 63 75 72 65 36 30 32 25 34 30 | com%2Ccure602%40
0390: 61 6f 6c 25 32 45 63 6f 6d 25 32 43 62 6f 62 77 | aol%2Ecom%2Cbobw
03a0: 37 33 25 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 | 73%40aol%2Ecom%2
<snip>
3b80: 6f 75 74 65 72 73 2e 63 6f 6d 26 70 68 6f 6e 65 | outers.com&phone
3b90: 3d 66 72 65 64 64 79 38 30 38 40 77 77 77 2e 72 | =freddy808@www.r
3ba0: 6f 75 74 65 72 73 2e 63 6f 6d 26 66 61 78 3d 66 | outers.com&fax=f
3bb0: 72 65 64 64 79 38 30 38 40 77 77 77 2e 72 6f 75 | reddy808 () www rou
3bc0: 74 65 72 73 2e 63 6f 6d 26 65 6d 61 69 6c 3d 66 | ters.com&email=f
3bd0: 72 65 64 64 79 38 30 38 40 77 77 77 2e 72 6f 75 | reddy808 () www rou
3be0: 74 65 72 73 2e 63 6f 6d 26 52 31 3d 53 65 61 72 | ters.com&R1=Sear
3bf0: 63 68 20 45 6e 67 69 6e 65 26 45 6e 67 69 6e 65 | ch Engine&Engine
3c00: 4e 61 6d 65 3d 66 72 65 64 64 79 38 30 38 40 77 | Name=freddy808@w
3c10: 77 77 2e 72 6f 75 74 65 72 73 2e 63 6f 6d 26 52 | ww.routers.com&R
3c20: 31 3d 53 61 6c 65 73 20 42 72 6f 63 68 75 72 65 | 1=Sales Brochure
3c30: 26 52 31 3d 52 65 66 65 72 72 61 6c 26 52 31 3d | &R1=Referral&R1=
3c40: 41 72 74 69 63 6c 65 26 52 31 3d 4f 74 68 65 72 | Article&R1=Other
3c50: 26 4f 74 68 65 72 32 3d 66 72 65 64 64 79 38 30 | &Other2=freddy80
3c60: 38 40 77 77 77 2e 72 6f 75 74 65 72 73 2e 63 6f | 8 () www routers co
3c70: 6d 26 3d 26 3d 53 65 6e 64                      | m&=&=Send




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: