Snort mailing list archives
Re: HNAP Admin attempts
From: rmkml <rmkml () yahoo fr>
Date: Thu, 14 Nov 2013 21:54:11 +0100 (CET)
Hi, What you think about this version please ? (removed file_data + added uurilen + http_uri + short Authorization) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HNAP admin brute force login attempt"; flow:established,to_server; urilen:7; content:"/HNAP1/"; http_uri; fast_pattern:only content:"Authorization|3a| Basic "; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http;reference:url,www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf; classtype:bad-unknown; sid:10000112; rev:2;) Regards @Rmkml On Thu, 14 Nov 2013, Carlos Pacho wrote:
Thanks James we are taking a look at it. Thanks, Carlos Pacho Research Engineer, VRT Sourcefire, now part of Cisco cpacho () sourcefire com Sourcefire.com On Thu, Nov 14, 2013 at 12:09 PM, James Lay <jlay () slave-tothe-box net> wrote: On 2013-11-14 09:00, lists () packetmail net wrote: > On 11/14/2013 09:47 AM, James Lay wrote: >> content:"GET |2f|HNAP1|2f| >> HTTP|2f|1.1"; http_raw_uri; fast_pattern:only >> content:"Authorization|3a| >> Basic YWRtaW46"; http_header; metadata:policy balanced-ips drop, >> policy security-ips drop, ruleset community, service >> >> http;reference:url,www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf; >> classtype:bad-unknown; sid:10000112; rev:1;) >> >> I'm not sure if I need to use http_uri or http_raw_uri....does >> normalizing remove the HTTP/1.1? Thanks all. > > It actually won't be there, that or the http method. I'd probably > write it like this (not saying I'm right) > > content:"GET|20 2f|HNAP1|2f 20|HTTP|2f|1.1|0d 0a|"; > fast_pattern:only; > content:"Authorization|3a 20|Basic YWRtaW46"; http_header; > > > Cheers, > Nathan Thanks Nathan...gonna mod my sig and run in production and see how it goes. James
------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- HNAP Admin attempts James Lay (Nov 14)
- Re: HNAP Admin attempts lists () packetmail net (Nov 14)
- Re: HNAP Admin attempts James Lay (Nov 14)
- Re: HNAP Admin attempts Carlos Pacho (Nov 14)
- Re: HNAP Admin attempts rmkml (Nov 14)
- Re: HNAP Admin attempts waldo kitty (Nov 14)
- Re: HNAP Admin attempts Y M (Nov 14)
- Re: HNAP Admin attempts James Lay (Nov 14)
- Re: HNAP Admin attempts James Lay (Nov 14)
- Re: HNAP Admin attempts lists () packetmail net (Nov 14)