Snort mailing list archives

Re: Re: Is snort missing something?

From: steven <steven () steven4u net>
Date: Thu, 05 Jul 2001 14:25:28 +0800

Wonderful paper! Thanks a lot.


Matt Scarborough wrote:

On Thu, 05 Jul 2001 00:36:34 +0800, steven wrote:

i understand now. another thing interest me, do you know similar things

about

mssql server.


Dog slow... buggy as hell... oh wait, wrong question.

what happend when a client login from network?  i've ever used
snort to capture a login packet for test purpose, i find the username/pwd is
plaint text.  but when i do the capture in the real world, i found the packet

is

very different. maybe i use 7.0 client and other guy use another client.  do

you

have any ideal about this?


This thing just refuses to die. Kick it hard.
http://www.innovation.ch/java/ntlm.html

Matt Scarborough 2001-07-05

Matt Scarborough wrote:

On Sun, 01 Jul 2001 16:01:19 +0800, steven wrote:

Hi,

I am doing a test of sniffering packets in a http authentication
session.  The http authentication is a feature buit into my apache
server (I belive it's also same with other popular http servers in the
market).

The picture is:

1. The browser requests a document from the server.
2. The server issues an authentication challenge.
3. The browser prompts the user for credentials (typically via a
username/password popup).
4. The browser sends a new request to the server, including the
credentials (username and encrypted
password) entered.


You have the steps right. Snort isn't missing anything.

Be aware with Basic Authorization, both the username and password are

encoded,

not encrypted. Big difference there.

See DSNIFF at monkey.org or the datanerds.net for a program to do that
automatically for you.

5. The server validates the credentials supplied, and (if acceptable)
returns the document requested.

So, i write a .htaccess file on my server to make this happen.  Then
open the browser and access the protected documents.  During the
operation, I running the snort on the server to monitor the full
process.

Everything is *ALMOST* okay, the snort capture the packets for the step
1, 2, and step 5 (step 3 is the client-end behavior).  But, I did *NOT*
see the transfered packet for step 4 -- That is just what I am really
interested.

I attached the logged packets below for your information:


<snip>
This packet, near the end.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


07/01-04:14:00.215903 0:60:97:2E:7:B8 -> 52:54:4C:29:40:68 type:0x800
len:0x1FE
192.168.1.1:2637 -> 61.142.75.69:80 TCP TTL:128 TOS:0x0 ID:60910
IpLen:20 DgmLen:496 DF
***AP*** Seq: 0x2B31202A  Ack: 0xA8367DAD  Win: 0xFA72  TcpLen: 32
TCP Options (3) => NOP NOP TS: 102076 35768581


<more snip>

That's the username:password combo UUEncoded
bW9uZXk6Z29vZGJ5ZQ==

Matt Watchinski posted it decoded for you.

6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 41  n: Keep-Alive..A
75 74 68 6F 72 69 7A 61 74 69 6F 6E 3A 20 42 61  uthorization: Ba
73 69 63 20 62 57 39 75 5A 58 6B 36 5A 32 39 76  sic bW9uZXk6Z29v
5A 47 4A 35 5A 51 3D 3D 0D 0A 0D 0A              ZGJ5ZQ==....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Matt Scarborough 2001-07-03


____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list


--
-
steven

tel:     +86 760 8320102
rfc-822: steven () steven4u net

       \|||/
       (o o)
----ooO-(_)-Ooo--------
If money could talk, it would say - goodbye



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Is snort missing something? steven (Jul 01)
- <Possible follow-ups>
- Is snort missing something? steven (Jul 01)
  - Re: Is snort missing something? Matt Watchinski (Jul 02)
    - Re: Is snort missing something? steven (Jul 03)
- Re: Is snort missing something? Matt Scarborough (Jul 03)
  - Re: Re: Is snort missing something? steven (Jul 04)
- Re: Re: Is snort missing something? Matt Scarborough (Jul 04)
  - Re: Re: Is snort missing something? steven (Jul 05)