Re: Fwd: How to detect OS with Snort?

[Borja Luaces <borja.luaces () gmail com>]

Hello everyone,

I am going to explain more or less the environment.

One of my clients web site that supposed to be accesed from mobile phones
is beeing actively used by phishers to steal usernames and passwords.

What I have found is that once the poor user has introduced the data into
the phishing site, this site makes a data check and the OS that is
launching this check is a Windows XP, so what I am trying to do is block
this data check.

As waldo kitty said, I know that that information can be faked and that
this rule is mostly unuseful.

All my weapons are snort rules, just that.

I hope that with this little more info you could help me.

Once again thanks to all,



On Wed, May 9, 2012 at 4:09 AM, waldo kitty <wkitty42 () windstream net> wrote:

> On 5/8/2012 15:25, Borja Luaces wrote:
> > Firstly, thanks.
> >
> > i know that Nmap is a better tool but the fact is that the rule is to
> detect
> > specific attacks from windows OS. The company I work for does not allow
> me to
> > install anything else. I have to do it with snort this is why I am
> trying that
> > rule but it seems not to work.
>
> what does it matter what OS an attack originates from? detect the atack and
> drop, alert or block as necessary... what i saw your rule doing appeared
> to be
> only detecting possible user agents in http headers but those are faked
> all the
> time with valid ones appearing along with invalid ones... i can tell you
> that
> they are coming from all different OS' no matter what OS the UA says it
> is...
> witness forum spammer's tools and infiltration techniques...
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Borja Luaces Altares
Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA)

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!