Re: HNAP Admin attempts

["lists () packetmail net" <lists () packetmail net>]

On 11/14/2013 09:47 AM, James Lay wrote:
> content:"GET |2f|HNAP1|2f| 
> HTTP|2f|1.1"; http_raw_uri; fast_pattern:only content:"Authorization|3a| 
> Basic YWRtaW46"; http_header; metadata:policy balanced-ips drop, policy 
> security-ips drop, ruleset community, service 
> http;reference:url,www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf; 
> classtype:bad-unknown; sid:10000112; rev:1;)
>
> I'm not sure if I need to use http_uri or http_raw_uri....does 
> normalizing remove the HTTP/1.1?  Thanks all.

It actually won't be there, that or the http method.  I'd probably write it like
this (not saying I'm right)

content:"GET|20 2f|HNAP1|2f 20|HTTP|2f|1.1|0d 0a|"; fast_pattern:only;
content:"Authorization|3a 20|Basic YWRtaW46"; http_header;


Cheers,
Nathan

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!