Snort mailing list archives
Re: Fwd: How to detect OS with Snort?
From: Kevin Ross <kevross33 () googlemail com>
Date: Wed, 9 May 2012 09:02:52 +0100
Are you running snort in inline mode (IPS) so that you can block attacks? How is the data being accessed by the mobile phones (web browser I assume)? Are all mobile devices the same or only a few? If it is IPS and snort is all you have what you could do is go: pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Pass/Ignore Mobile Device User Agent - Blackberry"; flow:established,to_server; content:"(B****lackberry|3B 20|"; nocase; http_header; classtype:not-suspicious; sid:149911; rev:1;) pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Pass/Ignore Mobile Device User Agent - Android"; flow:established,to_server; content:"(Linux|3B 20| U|3B 20|Android"; nocase; http_header; classtype:not-suspicious; sid:149912; rev:1;) and so on. then drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Drop All Other User Agents Inbound to Web Server"; flow:established,to_server; content:"User-Agent|3A 20|"; http_header; classtype:misc-activity; sid:149913; rev:1;) Pass rules are processed first so it will pass them and then block all other traffic containing the user agent header. I suppose you could do alert but it is going to pick up crawlers, probes, "innocent" stuff etc. If it is website you could also maybe in the website code do a user agent check and go from there (trivial to bypass). i.e http://www.quirksmode.org/js/detect.html. You could also password protect it/remove the data. If it is not in IPS mode/able to actively respond to the attack may I ask how do you intend to respond to a windows machine viewing the data? What happens if it is a Linux machine, MAC or whatever that also does it eventually? There is the possibility the machines viewing the data are compromised with malware. All of the methods mentioned here can be bypassed however/evaded. Regards, Kev On 9 May 2012 07:05, Borja Luaces <borja.luaces () gmail com> wrote:
Hello everyone, I am going to explain more or less the environment. One of my clients web site that supposed to be accesed from mobile phones is beeing actively used by phishers to steal usernames and passwords. What I have found is that once the poor user has introduced the data into the phishing site, this site makes a data check and the OS that is launching this check is a Windows XP, so what I am trying to do is block this data check. As waldo kitty said, I know that that information can be faked and that this rule is mostly unuseful. All my weapons are snort rules, just that. I hope that with this little more info you could help me. Once again thanks to all, On Wed, May 9, 2012 at 4:09 AM, waldo kitty <wkitty42 () windstream net>wrote:On 5/8/2012 15:25, Borja Luaces wrote:Firstly, thanks. i know that Nmap is a better tool but the fact is that the rule is todetectspecific attacks from windows OS. The company I work for does not allowme toinstall anything else. I have to do it with snort this is why I amtrying thatrule but it seems not to work.what does it matter what OS an attack originates from? detect the atack and drop, alert or block as necessary... what i saw your rule doing appeared to be only detecting possible user agents in http headers but those are faked all the time with valid ones appearing along with invalid ones... i can tell you that they are coming from all different OS' no matter what OS the UA says it is... witness forum spammer's tools and infiltration techniques... ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Borja Luaces Altares Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to detect OS with Snort? Borja Luaces (May 08)
- Re: How to detect OS with Snort? Nick Moore (May 08)
- Re: How to detect OS with Snort? JJC (May 08)
- Re: How to detect OS with Snort? Peter Bates (May 08)
- Message not available
- Fwd: How to detect OS with Snort? Borja Luaces (May 08)
- Re: Fwd: How to detect OS with Snort? Joel Esler (May 08)
- Re: Fwd: How to detect OS with Snort? Jason Haar (May 08)
- Re: Fwd: How to detect OS with Snort? waldo kitty (May 08)
- Re: Fwd: How to detect OS with Snort? Borja Luaces (May 08)
- Re: Fwd: How to detect OS with Snort? Kevin Ross (May 09)
- Re: Fwd: How to detect OS with Snort? Borja Luaces (May 09)
- Re: Fwd: How to detect OS with Snort? Peter Bates (May 09)
- Re: Fwd: How to detect OS with Snort? Paul Schmehl (May 09)
- Re: Fwd: How to detect OS with Snort? Borja Luaces (May 09)
- Message not available
- Re: Fwd: How to detect OS with Snort? Kevin Ross (May 09)
- Re: How to detect OS with Snort? Nick Moore (May 08)
- Re: How to detect OS with Snort? Joel Esler (May 16)
- Re: How to detect OS with Snort? Olaf Schreck (May 16)
- Re: How to detect OS with Snort? Jason Haar (May 17)
- Re: How to detect OS with Snort? Borja Luaces (May 17)