Snort mailing list archives

Re: Fwd: How to detect OS with Snort?

From: Borja Luaces <borja.luaces () gmail com>
Date: Wed, 9 May 2012 12:51:46 +0200

Hello all,

This is a burp capture of the post request that the phisher could be using
(this one has been created in a lab environment).

As you can see, in the User-Agent field, we can find the OS that is
supossed to be using.

POST /DFAUTH/slod/validaENOB.jsp HTTP/1.1
Host: XXXXXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101
Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer:XXXXXX/local_enob/index-nico.html
Cookie: PD_STATEFUL_f8965e46-de88-11e0-a137-0050568e208f=%2FENOB;
PD-S-SESSION-ID=2_otTvVkNKOexXvR3-MevmOq3Lj04OyrUUHpXwWCmEjhy4KfIv
Content-Type: application/x-www-form-urlencoded
Content-Length: 132

origen=enob&eai_tipoCP=up&eai_URLDestino=&idioma=CAS&iconizable=N&eai_user=test_user&eai_password=test_p&selProductos=posicionGlobal

The idea is launch an alert using that parameter.

This is why I tried the rule:

alert tcp any any -> any any (msg:""; content:"Windows NT"; ...)

but seems no to work.

I don not know if this could help a bit more.

Thanks for your time

-- 
Borja Luaces Altares
Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA)

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

How to detect OS with Snort? Borja Luaces (May 08)
- Re: How to detect OS with Snort? Nick Moore (May 08)
  - Re: How to detect OS with Snort? JJC (May 08)
- Re: How to detect OS with Snort? Peter Bates (May 08)
  - Message not available
    - Fwd: How to detect OS with Snort? Borja Luaces (May 08)
    - Re: Fwd: How to detect OS with Snort? Joel Esler (May 08)
    - Re: Fwd: How to detect OS with Snort? Jason Haar (May 08)
    - Re: Fwd: How to detect OS with Snort? waldo kitty (May 08)
    - Re: Fwd: How to detect OS with Snort? Borja Luaces (May 08)
    - Re: Fwd: How to detect OS with Snort? Kevin Ross (May 09)
    - Re: Fwd: How to detect OS with Snort? Borja Luaces (May 09)
    - Re: Fwd: How to detect OS with Snort? Peter Bates (May 09)
    - Re: Fwd: How to detect OS with Snort? Paul Schmehl (May 09)
    - Re: Fwd: How to detect OS with Snort? Borja Luaces (May 09)
    - Re: Fwd: How to detect OS with Snort? Kevin Ross (May 09)
- Re: How to detect OS with Snort? Kevin Ross (May 09)
  - Re: How to detect OS with Snort? Joel Esler (May 16)
    - Re: How to detect OS with Snort? Olaf Schreck (May 16)
    - Re: How to detect OS with Snort? Jason Haar (May 17)
    - Re: How to detect OS with Snort? Borja Luaces (May 17)