[Snort-sigs] Grabbing more content

Joel Esler joel.esler at ...435...
Tue Feb 14 15:20:04 EST 2006


Paul,

That may be all there is in the packet.  Try running Snort in packet  
dump mode (or tcpdump) along side Snort at the same time these  
packets are alerting your IDS.  Make sure you have snaplen set to 0 (- 
s 0), and then compare the two.

That may be all there is.

Snort captures the full snaplen of the packet by default, so unless  
you want to use tag to get the whole session, whatever is in the  
alert, is what it is in the packet.

J


On Feb 14, 2006, at 5:20 PM, Paul Schmehl wrote:

> --On Tuesday, February 14, 2006 15:53:02 -0600 Paul Schmehl  
> <pauls at ...1311...> wrote:
>>>
>> No, I want to capture more of the same packet.  Not the entire
>> conversation.
>>
> Apparently I can't communicate.  Let's try this again.
>
> Here's the portion of the rule that captures packet content:
> content:"{a 16 digit number goes here}"; content:"pass";
>
> Here's the last portion of a packet:
> 1d0 : 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 35   ontent- 
> Length: 5
> 1e0 : 36 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B    
> 6..Connection: K
> 1f0 : 65 65 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65   eep- 
> Alive..Cache
> 200 : 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63   -Control:  
> no-cac
> 210 : 68 65 0D 0A 0D 0A 75 72 6C 3D 25 35 45 55 26 75   he....url=% 
> 5EU&u
> 220 : 73 65 72 3D 36 30 33 36 37 39 30 30 30 30 33 30    
> ser=603679000030
> 230 : 31 31 32 30 26 70 61 73 73 3D 26 53 55 42 4D 49    
> 1120&pass=&SUBMI
> 240 : 54 3D 53 75 62 6D 69 74 2B 51 75 65 72 79 0D 0A   T=Submit 
> +Query..
>
> As you can see, only one additional line of data is captured after  
> pass=.
>
> I'd like to capture more of the packet, so that I can see exactly  
> what the attackers are trying to do - is this a sql overflow  
> attempt?  Some sort of sql query?  Something else?
>
> Here's another packet that had a bit more info:
>
> Cont
> 1c0 : 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 33 33 0D   ent-Length:  
> 133.
> 1d0 : 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65  
> 65   .Connection: Kee
> 1e0 : 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43   p- 
> Alive..Cache-C
> 1f0 : 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65   ontrol: no- 
> cache
> 200 : 0D 0A 0D 0A 75 72 6C 3D 25 35 45 55 26 75 73 65   ....url=% 
> 5EU&use
> 210 : 72 3D 36 30 33 36 37 39 30 30 30 30 33 30 31 31    
> r=60367900003011
> 220 : 32 30 26 70 61 73 73 3D 73 6D 69 74 68 26 53 55    
> 20&pass=smith&SU
> 230 : 42 4D 49 54 3D 25 32 36 25 32 33 32 35 35 35 32   BMIT=%26% 
> 2325552
> 240 : 25 33 42 25 32 36 25 32 33 32 30 31 33 32 25 33   %3B%26% 
> 2320132%3
> 250 : 42 25 32 36 25 32 33 32 36 35 39 37 25 33 42 25   B%26% 
> 2326597%3B%
> 260 : 32 36 25 32 33 33 35 38 31 30 25 33 42 25 32 36   26%2335810% 
> 3B%26
> 270 : 25 32 33 32 30 38 36 39 25 33 42 25 32 36 25 32   %2320869%3B% 
> 26%2
> 280 : 33 32 33 34 38 31 25 33 42 0D 0A                  323481%3B..
>
> So, I'd like to capture the entire query, but not all of them will  
> have the SUBMIT after pass=.
>
> Does that clarify sufficiently?
>
> I thought maybe distance would do it, but I'm not sure.
>
> content:"blah"; content:"pass"; distance:4,relative;  ??
>
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through  
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD  
> SPLUNK!
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list