Snort mailing list archives

Re: HNAP Admin attempts

From: Carlos Pacho <cpacho () sourcefire com>
Date: Thu, 14 Nov 2013 13:00:45 -0500

Thanks James we are taking a look at it.

Thanks,

Carlos Pacho
Research Engineer, VRT
Sourcefire, now part of Cisco
cpacho () sourcefire com
Sourcefire.com <http://www.sourcefire.com/>


On Thu, Nov 14, 2013 at 12:09 PM, James Lay <jlay () slave-tothe-box net>wrote:

On 2013-11-14 09:00, lists () packetmail net wrote:

On 11/14/2013 09:47 AM, James Lay wrote:

content:"GET |2f|HNAP1|2f|
HTTP|2f|1.1"; http_raw_uri; fast_pattern:only
content:"Authorization|3a|
Basic YWRtaW46"; http_header; metadata:policy balanced-ips drop,
policy
security-ips drop, ruleset community, service

http;reference:url,

www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf;

classtype:bad-unknown; sid:10000112; rev:1;)

I'm not sure if I need to use http_uri or http_raw_uri....does
normalizing remove the HTTP/1.1?  Thanks all.


It actually won't be there, that or the http method.  I'd probably
write it like
this (not saying I'm right)

content:"GET|20 2f|HNAP1|2f 20|HTTP|2f|1.1|0d 0a|";
fast_pattern:only;
content:"Authorization|3a 20|Basic YWRtaW46"; http_header;


Cheers,
Nathan


Thanks Nathan...gonna mod my sig and run in production and see how it
goes.

James


------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

HNAP Admin attempts James Lay (Nov 14)
- Re: HNAP Admin attempts lists () packetmail net (Nov 14)
  - Re: HNAP Admin attempts James Lay (Nov 14)
    - Re: HNAP Admin attempts Carlos Pacho (Nov 14)
    - Re: HNAP Admin attempts rmkml (Nov 14)
    - Re: HNAP Admin attempts waldo kitty (Nov 14)
    - Re: HNAP Admin attempts Y M (Nov 14)
    - Re: HNAP Admin attempts James Lay (Nov 14)