[Snort-sigs] Grabbing more content

Paul Schmehl pauls at ...1311...
Tue Feb 14 14:21:05 EST 2006


--On Tuesday, February 14, 2006 15:53:02 -0600 Paul Schmehl 
<pauls at ...1311...> wrote:
>>
> No, I want to capture more of the same packet.  Not the entire
> conversation.
>
Apparently I can't communicate.  Let's try this again.

Here's the portion of the rule that captures packet content:
content:"{a 16 digit number goes here}"; content:"pass";

Here's the last portion of a packet:
1d0 : 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 35   ontent-Length: 5
1e0 : 36 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B   6..Connection: K
1f0 : 65 65 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65   eep-Alive..Cache
200 : 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63   -Control: no-cac
210 : 68 65 0D 0A 0D 0A 75 72 6C 3D 25 35 45 55 26 75   he....url=%5EU&u
220 : 73 65 72 3D 36 30 33 36 37 39 30 30 30 30 33 30   ser=603679000030
230 : 31 31 32 30 26 70 61 73 73 3D 26 53 55 42 4D 49   1120&pass=&SUBMI
240 : 54 3D 53 75 62 6D 69 74 2B 51 75 65 72 79 0D 0A   T=Submit+Query..

As you can see, only one additional line of data is captured after pass=.

I'd like to capture more of the packet, so that I can see exactly what the 
attackers are trying to do - is this a sql overflow attempt?  Some sort of 
sql query?  Something else?

Here's another packet that had a bit more info:

Cont
1c0 : 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 33 33 0D   ent-Length: 133.
1d0 : 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65   .Connection: Kee
1e0 : 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43   p-Alive..Cache-C
1f0 : 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65   ontrol: no-cache
200 : 0D 0A 0D 0A 75 72 6C 3D 25 35 45 55 26 75 73 65   ....url=%5EU&use
210 : 72 3D 36 30 33 36 37 39 30 30 30 30 33 30 31 31   r=60367900003011
220 : 32 30 26 70 61 73 73 3D 73 6D 69 74 68 26 53 55   20&pass=smith&SU
230 : 42 4D 49 54 3D 25 32 36 25 32 33 32 35 35 35 32   BMIT=%26%2325552
240 : 25 33 42 25 32 36 25 32 33 32 30 31 33 32 25 33   %3B%26%2320132%3
250 : 42 25 32 36 25 32 33 32 36 35 39 37 25 33 42 25   B%26%2326597%3B%
260 : 32 36 25 32 33 33 35 38 31 30 25 33 42 25 32 36   26%2335810%3B%26
270 : 25 32 33 32 30 38 36 39 25 33 42 25 32 36 25 32   %2320869%3B%26%2
280 : 33 32 33 34 38 31 25 33 42 0D 0A                  323481%3B..

So, I'd like to capture the entire query, but not all of them will have the 
SUBMIT after pass=.

Does that clarify sufficiently?

I thought maybe distance would do it, but I'm not sure.

content:"blah"; content:"pass"; distance:4,relative;  ??

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-sigs mailing list