[Snort-sigs] HNAP Admin attempts

lists at ...3397... lists at ...3397...
Thu Nov 14 11:00:26 EST 2013

On 11/14/2013 09:47 AM, James Lay wrote:
> content:"GET |2f|HNAP1|2f| 
> HTTP|2f|1.1"; http_raw_uri; fast_pattern:only content:"Authorization|3a| 
> Basic YWRtaW46"; http_header; metadata:policy balanced-ips drop, policy 
> security-ips drop, ruleset community, service 
> http;reference:url,www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf; 
> classtype:bad-unknown; sid:10000112; rev:1;)
> I'm not sure if I need to use http_uri or http_raw_uri....does 
> normalizing remove the HTTP/1.1?  Thanks all.

It actually won't be there, that or the http method.  I'd probably write it like
this (not saying I'm right)

content:"GET|20 2f|HNAP1|2f 20|HTTP|2f|1.1|0d 0a|"; fast_pattern:only;
content:"Authorization|3a 20|Basic YWRtaW46"; http_header;


More information about the Snort-sigs mailing list