Snort mailing list archives
HNAP Admin attempts
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 14 Nov 2013 08:47:07 -0700
So I'm not sure if I have this right...I don't have full pcaps either, just the GET: GET /HNAP1/ HTTP/1.1 Host: [redacted] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008092215 Firefox/3.0.1 Orca/1.1 beta 3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: [redacted] Authorization: Basic YWRtaW46UWFLJGRic0UsZmU3 Connection: keep-alive GET /HNAP1/ HTTP/1.1 Host: [redacted] User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: [redacted] Authorization: Basic YWRtaW46eVQqOE1NX3hpeXFV Connection: keep-alive GET /HNAP1/ HTTP/1.1 Host: [redacted] User-Agent: Opera/9.60 (Windows NT 5.1; U; de) Presto/2.1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: [redacted] Authorization: Basic YWRtaW46cS5bLENkIz86SU4/ Connection: keep-alive In each of the above three instances (all different source IP's), all were prefaced with port 8080 attempts first: [519936.814987] IN=ppp0 OUT= MAC= SRC=[redacted] DST=[redacted] LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=46034 DF PROTO=TCP SPT=2388 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 [519939.807014] IN=ppp0 OUT= MAC= SRC=[redacted] DST=[redacted] LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=46035 DF PROTO=TCP SPT=2388 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HNAP admin brute force login attempt"; flow:established,to_server; file_data; content:"GET |2f|HNAP1|2f| HTTP|2f|1.1"; http_raw_uri; fast_pattern:only content:"Authorization|3a| Basic YWRtaW46"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http;reference:url,www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf; classtype:bad-unknown; sid:10000112; rev:1;) I'm not sure if I need to use http_uri or http_raw_uri....does normalizing remove the HTTP/1.1? Thanks all. James ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- HNAP Admin attempts James Lay (Nov 14)
- Re: HNAP Admin attempts lists () packetmail net (Nov 14)
- Re: HNAP Admin attempts James Lay (Nov 14)
- Re: HNAP Admin attempts Carlos Pacho (Nov 14)
- Re: HNAP Admin attempts rmkml (Nov 14)
- Re: HNAP Admin attempts waldo kitty (Nov 14)
- Re: HNAP Admin attempts Y M (Nov 14)
- Re: HNAP Admin attempts James Lay (Nov 14)
- Re: HNAP Admin attempts James Lay (Nov 14)
- Re: HNAP Admin attempts lists () packetmail net (Nov 14)