Snort mailing list archives

HNAP Admin attempts

From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 14 Nov 2013 08:47:07 -0700

So I'm not sure if I have this right...I don't have full pcaps either, 
just the GET:

GET /HNAP1/ HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) 
Gecko/2008092215 Firefox/3.0.1 Orca/1.1 beta 3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: [redacted]
Authorization: Basic YWRtaW46UWFLJGRic0UsZmU3
Connection: keep-alive

GET /HNAP1/ HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: [redacted]
Authorization: Basic YWRtaW46eVQqOE1NX3hpeXFV
Connection: keep-alive


GET /HNAP1/ HTTP/1.1
Host: [redacted]
User-Agent: Opera/9.60 (Windows NT 5.1; U; de) Presto/2.1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: [redacted]
Authorization: Basic YWRtaW46cS5bLENkIz86SU4/
Connection: keep-alive

In each of the above three instances (all different source IP's), all 
were prefaced with port 8080 attempts first:

[519936.814987] IN=ppp0 OUT= MAC= SRC=[redacted] DST=[redacted] LEN=60 
TOS=0x00 PREC=0x00 TTL=53 ID=46034 DF PROTO=TCP SPT=2388 DPT=8080 
WINDOW=5840 RES=0x00 SYN URGP=0
[519939.807014] IN=ppp0 OUT= MAC= SRC=[redacted] DST=[redacted] LEN=60 
TOS=0x00 PREC=0x00 TTL=53 ID=46035 DF PROTO=TCP SPT=2388 DPT=8080 
WINDOW=5840 RES=0x00 SYN URGP=0

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"SERVER-WEBAPP HNAP admin brute force login attempt"; 
flow:established,to_server; file_data; content:"GET |2f|HNAP1|2f| 
HTTP|2f|1.1"; http_raw_uri; fast_pattern:only content:"Authorization|3a| 
Basic YWRtaW46"; http_header; metadata:policy balanced-ips drop, policy 
security-ips drop, ruleset community, service 
http;reference:url,www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf; 
classtype:bad-unknown; sid:10000112; rev:1;)

I'm not sure if I need to use http_uri or http_raw_uri....does 
normalizing remove the HTTP/1.1?  Thanks all.

James

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

HNAP Admin attempts James Lay (Nov 14)
- Re: HNAP Admin attempts lists () packetmail net (Nov 14)
  - Re: HNAP Admin attempts James Lay (Nov 14)
    - Re: HNAP Admin attempts Carlos Pacho (Nov 14)
    - Re: HNAP Admin attempts rmkml (Nov 14)
    - Re: HNAP Admin attempts waldo kitty (Nov 14)
    - Re: HNAP Admin attempts Y M (Nov 14)
    - Re: HNAP Admin attempts James Lay (Nov 14)