[Snort-sigs] Q about uricontent vs content ; web bot name

Dale L. Handy dhandy at ...1244...
Mon Aug 18 10:11:10 EDT 2003


The uricontent is the part between the 'GET' and the 'HTTP/1.1', without 
the leading or trailing spaces.  Therefore, you would need to look for 
the 'User-Agent' in the content.  The uricontent is produced by the 
http-decode preprocessor.  It also normalizes the uricontent for 
simplifying your rules.

Michael Scheidell wrote:

>I am looking at a sig like this to detect activity by 'nameprotect'
>(see www.nameprotect.com, if its causing lots of directory transversal
>false alarms at YOUR site you might want to either alert separately or
>add these to 'pass' rules.)
>
>would the user agent be in the uricontent:
>
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"CUSTOM
>nameprotect spybot access"; flow:to_server,established;
>uricontent:"User-Agent|3A| NPBot"; classtype:web-application-activity;
>reference:url,www.nameprotect.com/botinfo.html; sid:10048;)
>
>or do I need straight content?
>
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
>(msg:"CUSTOM nameprotect spybot access"; flow:to_server,established; \
>content:"User-Agent|3A| NPBot"; offset:4; classtype:web-application-activity;\
>reference:url,www.nameprotect.com/botinfo.html; sid:10048;)
>
>here is a typical packet trace.
>
>000 : 47 45 54 20 2F 2E 2E 2F 64 69 63 74 2F 73 7A 2E   GET /../dict/sz.
>010 : 68 74 6D 6C 20 48 54 54 50 2F 31 2E 31 0D 0A 48   html HTTP/1.1..H
>020 : 6F 73 74 3A 20 77 77 77                           ost: www.sample1
>030 : 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E   .com..Connection
>040 : 3A 20 4B 65 65 70 2D 41 6C 69 76 65 2C 20 54 45   : Keep-Alive, TE
>050 : 0D 0A 54 45 3A 20 74 72 61 69 6C 65 72 73 2C 20   ..TE: trailers, 
>060 : 64 65 66 6C 61 74 65 2C 20 67 7A 69 70 2C 20 63   deflate, gzip, c
>070 : 6F 6D 70 72 65 73 73 0D 0A 55 73 65 72 2D 41 67   ompress..User-Ag
>080 : 65 6E 74 3A 20 4E 50 42 6F 74 20 28 68 74 74 70   ent: NPBot (http
>090 : 3A 2F 2F 77 77 77 2E 6E 61 6D 65 70 72 6F 74 65   ://www.nameprote
>0a0 : 63 74 2E 63 6F 6D 2F 62 6F 74 69 6E 66 6F 2E 68   ct.com/botinfo.h
>0b0 : 74 6D 6C 29 0D 0A 41 63 63 65 70 74 2D 45 6E 63   tml)..Accept-Enc
>0c0 : 6F 64 69 6E 67 3A 20 64 65 66 6C 61 74 65 2C 20   oding: deflate, 
>0d0 : 67 7A 69 70 2C 20 78 2D 67 7A 69 70 2C 20 63 6F   gzip, x-gzip, co
>0e0 : 6D 70 72 65 73 73 2C 20 78 2D 63 6F 6D 70 72 65   mpress, x-compre
>0f0 : 73 73 0D 0A 0D 0A                                 ss....
>
>Michael Scheidell
>SECNAP Network Security
>Main: 561-368-9561 / www.secnap.com
>Looking for a career in Internet security?
>http://www.secnap.com/careers.html
>
>
>-------------------------------------------------------
>This SF.Net email sponsored by: Free pre-built ASP.NET sites including
>Data Reports, E-commerce, Portals, and Forums are available now.
>Download today and enter to win an XBOX or Visual Studio .NET.
>http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>  
>

-- 
"The trouble with doing something right the first time 
 is that nobody appreciates how difficult it was."

-- Dale L. Handy, P.E.
   dhandy at ...1244...
   http://www.nitrodata.com






More information about the Snort-sigs mailing list