[Snort-sigs] HNAP Admin attempts

James Lay jlay at ...3266...
Thu Nov 14 12:09:14 EST 2013


On 2013-11-14 09:00, lists at ...3397... wrote:
> On 11/14/2013 09:47 AM, James Lay wrote:
>> content:"GET |2f|HNAP1|2f|
>> HTTP|2f|1.1"; http_raw_uri; fast_pattern:only 
>> content:"Authorization|3a|
>> Basic YWRtaW46"; http_header; metadata:policy balanced-ips drop, 
>> policy
>> security-ips drop, ruleset community, service
>> 
>> http;reference:url,www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf;
>> classtype:bad-unknown; sid:10000112; rev:1;)
>>
>> I'm not sure if I need to use http_uri or http_raw_uri....does
>> normalizing remove the HTTP/1.1?  Thanks all.
>
> It actually won't be there, that or the http method.  I'd probably
> write it like
> this (not saying I'm right)
>
> content:"GET|20 2f|HNAP1|2f 20|HTTP|2f|1.1|0d 0a|"; 
> fast_pattern:only;
> content:"Authorization|3a 20|Basic YWRtaW46"; http_header;
>
>
> Cheers,
> Nathan

Thanks Nathan...gonna mod my sig and run in production and see how it 
goes.

James




More information about the Snort-sigs mailing list