Snort mailing list archives
Re: Is snort missing something?
From: Matt Scarborough <vexversa () usa net>
Date: 3 Jul 2001 02:59:19 EDT
On Sun, 01 Jul 2001 16:01:19 +0800, steven wrote:
Hi, I am doing a test of sniffering packets in a http authentication session. The http authentication is a feature buit into my apache server (I belive it's also same with other popular http servers in the market). The picture is: 1. The browser requests a document from the server. 2. The server issues an authentication challenge. 3. The browser prompts the user for credentials (typically via a username/password popup). 4. The browser sends a new request to the server, including the credentials (username and encrypted password) entered.
You have the steps right. Snort isn't missing anything. Be aware with Basic Authorization, both the username and password are encoded, not encrypted. Big difference there. See DSNIFF at monkey.org or the datanerds.net for a program to do that automatically for you.
5. The server validates the credentials supplied, and (if acceptable) returns the document requested. So, i write a .htaccess file on my server to make this happen. Then open the browser and access the protected documents. During the operation, I running the snort on the server to monitor the full process. Everything is *ALMOST* okay, the snort capture the packets for the step 1, 2, and step 5 (step 3 is the client-end behavior). But, I did *NOT* see the transfered packet for step 4 -- That is just what I am really interested. I attached the logged packets below for your information:
<snip> This packet, near the end.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-04:14:00.215903 0:60:97:2E:7:B8 -> 52:54:4C:29:40:68 type:0x800 len:0x1FE 192.168.1.1:2637 -> 61.142.75.69:80 TCP TTL:128 TOS:0x0 ID:60910 IpLen:20 DgmLen:496 DF ***AP*** Seq: 0x2B31202A Ack: 0xA8367DAD Win: 0xFA72 TcpLen: 32 TCP Options (3) => NOP NOP TS: 102076 35768581
<more snip> That's the username:password combo UUEncoded bW9uZXk6Z29vZGJ5ZQ== Matt Watchinski posted it decoded for you.
6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 41 n: Keep-Alive..A 75 74 68 6F 72 69 7A 61 74 69 6F 6E 3A 20 42 61 uthorization: Ba 73 69 63 20 62 57 39 75 5A 58 6B 36 5A 32 39 76 sic bW9uZXk6Z29v 5A 47 4A 35 5A 51 3D 3D 0D 0A 0D 0A ZGJ5ZQ==.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Matt Scarborough 2001-07-03 ____________________________________________________________________ Get free email and a permanent address at http://www.amexmail.com/?A=1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is snort missing something? steven (Jul 01)
- <Possible follow-ups>
- Is snort missing something? steven (Jul 01)
- Re: Is snort missing something? Matt Watchinski (Jul 02)
- Re: Is snort missing something? steven (Jul 03)
- Re: Is snort missing something? Matt Watchinski (Jul 02)
- Re: Is snort missing something? Matt Scarborough (Jul 03)
- Re: Re: Is snort missing something? steven (Jul 04)
- Re: Re: Is snort missing something? Matt Scarborough (Jul 04)
- Re: Re: Is snort missing something? steven (Jul 05)