[Snort-sigs] HNAP Admin attempts

rmkml rmkml at ...174...
Thu Nov 14 15:54:11 EST 2013


Hi,

What you think about this version please ? (removed file_data + added uurilen + http_uri + short Authorization)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HNAP admin brute force login attempt";
flow:established,to_server; urilen:7; content:"/HNAP1/"; http_uri; fast_pattern:only
content:"Authorization|3a| Basic "; http_header; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service
http;reference:url,www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf;
classtype:bad-unknown; sid:10000112; rev:2;)

Regards
@Rmkml


On Thu, 14 Nov 2013, Carlos Pacho wrote:

> Thanks James we are taking a look at it.
> 
> Thanks,
> 
> Carlos Pacho
> Research Engineer, VRT
> Sourcefire, now part of Cisco
> cpacho at ...435...
> Sourcefire.com
> 
> 
> On Thu, Nov 14, 2013 at 12:09 PM, James Lay <jlay at ...3266...> wrote:
>       On 2013-11-14 09:00, lists at ...3397... wrote:
>       > On 11/14/2013 09:47 AM, James Lay wrote:
>       >> content:"GET |2f|HNAP1|2f|
>       >> HTTP|2f|1.1"; http_raw_uri; fast_pattern:only
>       >> content:"Authorization|3a|
>       >> Basic YWRtaW46"; http_header; metadata:policy balanced-ips drop,
>       >> policy security-ips drop, ruleset community, service
>       >>
>       >> http;reference:url,www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf;
>       >> classtype:bad-unknown; sid:10000112; rev:1;)
>       >>
>       >> I'm not sure if I need to use http_uri or http_raw_uri....does
>       >> normalizing remove the HTTP/1.1?  Thanks all.
>       >
>       > It actually won't be there, that or the http method.  I'd probably
>       > write it like this (not saying I'm right)
>       >
>       > content:"GET|20 2f|HNAP1|2f 20|HTTP|2f|1.1|0d 0a|";
>       > fast_pattern:only;
>       > content:"Authorization|3a 20|Basic YWRtaW46"; http_header;
>       >
>       >
>       > Cheers,
>       > Nathan
> 
> Thanks Nathan...gonna mod my sig and run in production and see how it
> goes.
> 
> James


More information about the Snort-sigs mailing list