[Snort-users] html post question

Rich Adamson radamson at ...2127...
Tue Dec 9 06:37:08 EST 2003


Wonder if someone on the list might recognize the pkt content shown 
below. We're seeing a number of hosts posting spam via this 
request2.cgi perl script on RH9 with Apache. Two questions:
1. is this becoming a fairly common spamming method?
2. I'm assuming the perl script should be updated to validate the
   posted data (which it obviously is not now), correct?
3. If I were to write a rule to detect this, it would appear the only
   key content items are "POST" and the length of the packet (normally
   would not expect anything greater then about 500 bytes). Anyone
   spot other key info that could be used in a rule?

Rich


ADDR  HEX                                               ASCII
0040: 78 6d 50 4f 53 54 20 2f 63 67 69 2d 62 69 6e 2f | xmPOST /cgi-bin/
0050: 72 65 71 75 65 73 74 32 2e 63 67 69 20 48 54 54 | request2.cgi HTT
0060: 50 2f 31 2e 30 0d 0a 52 65 66 65 72 65 72 3a 20 | P/1.0..Referer: 
0070: 68 74 74 70 3a 2f 2f 77 77 77 2e 72 6f 75 74 65 | http://www.route
0080: 72 73 2e 63 6f 6d 2f 0d 0a 43 6f 6e 74 65 6e 74 | rs.com/..Content
0090: 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 | -Type: applicati
00a0: 6f 6e 2f 78 2d 77 77 77 2d 75 72 6c 2d 65 6e 63 | on/x-www-url-enc
00b0: 6f 64 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 | oded..Content-Le
00c0: 6e 67 74 68 3a 20 31 35 32 32 37 0d 0a 43 6f 6e | ngth: 15227..Con
00d0: 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c | nection: keep-al
00e0: 69 76 65 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 72 | ive..Host: www.r
00f0: 6f 75 74 65 72 73 2e 63 6f 6d 0d 0a 0d 0a 6e 68 | outers.com....nh
0100: 63 3d 42 61 6e 6b 69 6e 67 20 41 73 73 65 73 73 | c=Banking Assess
0110: 6d 65 6e 74 26 62 6c 3d 4e 65 74 20 50 65 72 66 | ment&bl=Net Perf
0120: 6f 72 6d 61 6e 63 65 26 66 72 61 3d 4e 65 74 44 | ormance&fra=NetD
0130: 6f 63 73 26 72 65 74 3d 4f 6e 2d 53 69 74 65 20 | ocs&ret=On-Site 
0140: 54 72 61 69 6e 69 6e 67 26 73 74 61 3d 56 75 6c | Training&sta=Vul
0150: 6e 65 72 61 62 69 6c 69 74 79 20 41 73 73 65 73 | nerability Asses
0160: 73 6d 65 6e 74 26 6f 74 68 3d 4f 74 68 65 72 26 | sment&oth=Other&
0170: 4f 74 68 65 72 49 6e 66 6f 3d 66 72 65 64 64 79 | OtherInfo=freddy
0180: 38 30 38 40 77 77 77 2e 72 6f 75 74 65 72 73 2e | 808 at ...10707...
0190: 63 6f 6d 26 6e 61 6d 65 3d 25 30 41 54 6f 25 33 | com&name=%0ATo%3
01a0: 41 2b 66 72 65 64 64 79 38 30 38 25 34 30 77 77 | A+freddy808%40ww
01b0: 77 25 32 45 72 6f 75 74 65 72 73 25 32 45 63 6f | w%2Erouters%2Eco
01c0: 6d 25 30 41 46 72 6f 6d 25 33 41 2b 41 64 6f 62 | m%0AFrom%3A+Adob
01d0: 65 50 68 6f 74 6f 73 68 6f 70 37 30 35 36 31 25 | ePhotoshop70561%
01e0: 34 30 71 75 69 6b 25 32 45 63 6f 6d 25 30 41 62 | 40quik%2Ecom%0Ab
01f0: 63 63 25 33 41 2b 79 74 6b 64 34 25 34 30 61 6f | cc%3A+ytkd4%40ao
0200: 6c 25 32 45 63 6f 6d 25 32 43 62 65 63 6b 6e 61 | l%2Ecom%2Cbeckna
0210: 74 61 6c 69 65 25 34 30 61 6f 6c 25 32 45 63 6f | talie%40aol%2Eco
0220: 6d 25 32 43 76 65 72 69 74 61 73 68 25 34 30 61 | m%2Cveritash%40a
0230: 6f 6c 25 32 45 63 6f 6d 25 32 43 69 6c 69 76 65 | ol%2Ecom%2Cilive
0240: 69 6e 74 68 65 74 76 25 34 30 61 6f 6c 25 32 45 | inthetv%40aol%2E
0250: 63 6f 6d 25 32 43 67 75 72 32 64 32 25 34 30 61 | com%2Cgur2d2%40a
0260: 6f 6c 25 32 45 63 6f 6d 25 32 43 6b 65 73 74 72 | ol%2Ecom%2Ckestr
0270: 61 32 31 36 31 25 34 30 61 6f 6c 25 32 45 63 6f | a2161%40aol%2Eco
0280: 6d 25 32 43 6e 79 6f 6e 63 6f 6c 6f 67 79 63 61 | m%2Cnyoncologyca
0290: 72 65 25 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 | re%40aol%2Ecom%2
02a0: 43 68 6a 6b 61 68 6c 25 34 30 61 6f 6c 25 32 45 | Chjkahl%40aol%2E
02b0: 63 6f 6d 25 32 43 66 72 6f 67 67 79 62 69 6b 65 | com%2Cfroggybike
02c0: 72 25 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 43 | r%40aol%2Ecom%2C
02d0: 74 65 68 37 34 34 25 34 30 61 6f 6c 25 32 45 63 | teh744%40aol%2Ec
02e0: 6f 6d 25 32 43 6a 72 6f 62 69 74 35 33 35 32 25 | om%2Cjrobit5352%
02f0: 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 43 64 6a | 40aol%2Ecom%2Cdj
0300: 61 63 65 31 32 25 34 30 61 6f 6c 25 32 45 63 6f | ace12%40aol%2Eco
0310: 6d 25 32 43 74 61 64 37 32 38 25 34 30 61 6f 6c | m%2Ctad728%40aol
0320: 25 32 45 63 6f 6d 25 32 43 71 75 65 77 77 74 25 | %2Ecom%2Cquewwt%
0330: 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 43 77 61 | 40aol%2Ecom%2Cwa
0340: 73 74 65 64 34 35 36 33 25 34 30 61 6f 6c 25 32 | sted4563%40aol%2
0350: 45 63 6f 6d 25 32 43 72 75 6d 6d 79 72 25 34 30 | Ecom%2Crummyr%40
0360: 61 6f 6c 25 32 45 63 6f 6d 25 32 43 6a 6f 68 6e | aol%2Ecom%2Cjohn
0370: 61 63 6b 69 6e 67 31 25 34 30 61 6f 6c 25 32 45 | acking1%40aol%2E
0380: 63 6f 6d 25 32 43 63 75 72 65 36 30 32 25 34 30 | com%2Ccure602%40
0390: 61 6f 6c 25 32 45 63 6f 6d 25 32 43 62 6f 62 77 | aol%2Ecom%2Cbobw
03a0: 37 33 25 34 30 61 6f 6c 25 32 45 63 6f 6d 25 32 | 73%40aol%2Ecom%2
<snip>
3b80: 6f 75 74 65 72 73 2e 63 6f 6d 26 70 68 6f 6e 65 | outers.com&phone
3b90: 3d 66 72 65 64 64 79 38 30 38 40 77 77 77 2e 72 | =freddy808 at ...10708...
3ba0: 6f 75 74 65 72 73 2e 63 6f 6d 26 66 61 78 3d 66 | outers.com&fax=f
3bb0: 72 65 64 64 79 38 30 38 40 77 77 77 2e 72 6f 75 | reddy808 at ...10709...
3bc0: 74 65 72 73 2e 63 6f 6d 26 65 6d 61 69 6c 3d 66 | ters.com&email=f
3bd0: 72 65 64 64 79 38 30 38 40 77 77 77 2e 72 6f 75 | reddy808 at ...10709...
3be0: 74 65 72 73 2e 63 6f 6d 26 52 31 3d 53 65 61 72 | ters.com&R1=Sear
3bf0: 63 68 20 45 6e 67 69 6e 65 26 45 6e 67 69 6e 65 | ch Engine&Engine
3c00: 4e 61 6d 65 3d 66 72 65 64 64 79 38 30 38 40 77 | Name=freddy808 at ...10710...
3c10: 77 77 2e 72 6f 75 74 65 72 73 2e 63 6f 6d 26 52 | ww.routers.com&R
3c20: 31 3d 53 61 6c 65 73 20 42 72 6f 63 68 75 72 65 | 1=Sales Brochure
3c30: 26 52 31 3d 52 65 66 65 72 72 61 6c 26 52 31 3d | &R1=Referral&R1=
3c40: 41 72 74 69 63 6c 65 26 52 31 3d 4f 74 68 65 72 | Article&R1=Other
3c50: 26 4f 74 68 65 72 32 3d 66 72 65 64 64 79 38 30 | &Other2=freddy80
3c60: 38 40 77 77 77 2e 72 6f 75 74 65 72 73 2e 63 6f | 8 at ...10711...
3c70: 6d 26 3d 26 3d 53 65 6e 64                      | m&=&=Send






More information about the Snort-users mailing list