[Snort-sigs] HNAP Admin attempts

Carlos Pacho cpacho at ...435...
Thu Nov 14 13:00:45 EST 2013


Thanks James we are taking a look at it.

Thanks,

Carlos Pacho
Research Engineer, VRT
Sourcefire, now part of Cisco
cpacho at ...435...
Sourcefire.com <http://www.sourcefire.com/>


On Thu, Nov 14, 2013 at 12:09 PM, James Lay <jlay at ...3266...>wrote:

> On 2013-11-14 09:00, lists at ...3397... wrote:
> > On 11/14/2013 09:47 AM, James Lay wrote:
> >> content:"GET |2f|HNAP1|2f|
> >> HTTP|2f|1.1"; http_raw_uri; fast_pattern:only
> >> content:"Authorization|3a|
> >> Basic YWRtaW46"; http_header; metadata:policy balanced-ips drop,
> >> policy
> >> security-ips drop, ruleset community, service
> >>
> >> http;reference:url,
> www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf;
> >> classtype:bad-unknown; sid:10000112; rev:1;)
> >>
> >> I'm not sure if I need to use http_uri or http_raw_uri....does
> >> normalizing remove the HTTP/1.1?  Thanks all.
> >
> > It actually won't be there, that or the http method.  I'd probably
> > write it like
> > this (not saying I'm right)
> >
> > content:"GET|20 2f|HNAP1|2f 20|HTTP|2f|1.1|0d 0a|";
> > fast_pattern:only;
> > content:"Authorization|3a 20|Basic YWRtaW46"; http_header;
> >
> >
> > Cheers,
> > Nathan
>
> Thanks Nathan...gonna mod my sig and run in production and see how it
> goes.
>
> James
>
>
> ------------------------------------------------------------------------------
> DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
> OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
> Free app hosting. Or install the open source package on any LAMP server.
> Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
> http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131114/72290eab/attachment.html>


More information about the Snort-sigs mailing list