[Snort-sigs] HNAP Admin attempts

James Lay jlay at ...3266...
Thu Nov 14 10:47:07 EST 2013


So I'm not sure if I have this right...I don't have full pcaps either, 
just the GET:

GET /HNAP1/ HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) 
Gecko/2008092215 Firefox/3.0.1 Orca/1.1 beta 3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: [redacted]
Authorization: Basic YWRtaW46UWFLJGRic0UsZmU3
Connection: keep-alive

GET /HNAP1/ HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: [redacted]
Authorization: Basic YWRtaW46eVQqOE1NX3hpeXFV
Connection: keep-alive


GET /HNAP1/ HTTP/1.1
Host: [redacted]
User-Agent: Opera/9.60 (Windows NT 5.1; U; de) Presto/2.1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: [redacted]
Authorization: Basic YWRtaW46cS5bLENkIz86SU4/
Connection: keep-alive

In each of the above three instances (all different source IP's), all 
were prefaced with port 8080 attempts first:

[519936.814987] IN=ppp0 OUT= MAC= SRC=[redacted] DST=[redacted] LEN=60 
TOS=0x00 PREC=0x00 TTL=53 ID=46034 DF PROTO=TCP SPT=2388 DPT=8080 
WINDOW=5840 RES=0x00 SYN URGP=0
[519939.807014] IN=ppp0 OUT= MAC= SRC=[redacted] DST=[redacted] LEN=60 
TOS=0x00 PREC=0x00 TTL=53 ID=46035 DF PROTO=TCP SPT=2388 DPT=8080 
WINDOW=5840 RES=0x00 SYN URGP=0

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"SERVER-WEBAPP HNAP admin brute force login attempt"; 
flow:established,to_server; file_data; content:"GET |2f|HNAP1|2f| 
HTTP|2f|1.1"; http_raw_uri; fast_pattern:only content:"Authorization|3a| 
Basic YWRtaW46"; http_header; metadata:policy balanced-ips drop, policy 
security-ips drop, ruleset community, service 
http;reference:url,www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf; 
classtype:bad-unknown; sid:10000112; rev:1;)

I'm not sure if I need to use http_uri or http_raw_uri....does 
normalizing remove the HTTP/1.1?  Thanks all.

James




More information about the Snort-sigs mailing list