[Snort-sigs] Q about uricontent vs content ; web bot name

Michael Scheidell scheidell at ...249...
Sun Aug 17 06:40:04 EDT 2003


I am looking at a sig like this to detect activity by 'nameprotect'
(see www.nameprotect.com, if its causing lots of directory transversal
false alarms at YOUR site you might want to either alert separately or
add these to 'pass' rules.)

would the user agent be in the uricontent:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"CUSTOM
nameprotect spybot access"; flow:to_server,established;
uricontent:"User-Agent|3A| NPBot"; classtype:web-application-activity;
reference:url,www.nameprotect.com/botinfo.html; sid:10048;)

or do I need straight content?

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg:"CUSTOM nameprotect spybot access"; flow:to_server,established; \
content:"User-Agent|3A| NPBot"; offset:4; classtype:web-application-activity;\
reference:url,www.nameprotect.com/botinfo.html; sid:10048;)

here is a typical packet trace.

000 : 47 45 54 20 2F 2E 2E 2F 64 69 63 74 2F 73 7A 2E   GET /../dict/sz.
010 : 68 74 6D 6C 20 48 54 54 50 2F 31 2E 31 0D 0A 48   html HTTP/1.1..H
020 : 6F 73 74 3A 20 77 77 77                           ost: www.sample1
030 : 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E   .com..Connection
040 : 3A 20 4B 65 65 70 2D 41 6C 69 76 65 2C 20 54 45   : Keep-Alive, TE
050 : 0D 0A 54 45 3A 20 74 72 61 69 6C 65 72 73 2C 20   ..TE: trailers, 
060 : 64 65 66 6C 61 74 65 2C 20 67 7A 69 70 2C 20 63   deflate, gzip, c
070 : 6F 6D 70 72 65 73 73 0D 0A 55 73 65 72 2D 41 67   ompress..User-Ag
080 : 65 6E 74 3A 20 4E 50 42 6F 74 20 28 68 74 74 70   ent: NPBot (http
090 : 3A 2F 2F 77 77 77 2E 6E 61 6D 65 70 72 6F 74 65   ://www.nameprote
0a0 : 63 74 2E 63 6F 6D 2F 62 6F 74 69 6E 66 6F 2E 68   ct.com/botinfo.h
0b0 : 74 6D 6C 29 0D 0A 41 63 63 65 70 74 2D 45 6E 63   tml)..Accept-Enc
0c0 : 6F 64 69 6E 67 3A 20 64 65 66 6C 61 74 65 2C 20   oding: deflate, 
0d0 : 67 7A 69 70 2C 20 78 2D 67 7A 69 70 2C 20 63 6F   gzip, x-gzip, co
0e0 : 6D 70 72 65 73 73 2C 20 78 2D 63 6F 6D 70 72 65   mpress, x-compre
0f0 : 73 73 0D 0A 0D 0A                                 ss....

Michael Scheidell
SECNAP Network Security
Main: 561-368-9561 / www.secnap.com
Looking for a career in Internet security?
http://www.secnap.com/careers.html




More information about the Snort-sigs mailing list