[Snort-users] Fwd: How to detect OS with Snort?

Borja Luaces borja.luaces at ...11827...
Wed May 9 06:51:46 EDT 2012


Hello all,

This is a burp capture of the post request that the phisher could be using
(this one has been created in a lab environment).

As you can see, in the User-Agent field, we can find the OS that is
supossed to be using.

POST /DFAUTH/slod/validaENOB.jsp HTTP/1.1
Host: XXXXXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101
Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer:XXXXXX/local_enob/index-nico.html
Cookie: PD_STATEFUL_f8965e46-de88-11e0-a137-0050568e208f=%2FENOB;
PD-S-SESSION-ID=2_otTvVkNKOexXvR3-MevmOq3Lj04OyrUUHpXwWCmEjhy4KfIv
Content-Type: application/x-www-form-urlencoded
Content-Length: 132

origen=enob&eai_tipoCP=up&eai_URLDestino=&idioma=CAS&iconizable=N&eai_user=test_user&eai_password=test_p&selProductos=posicionGlobal

The idea is launch an alert using that parameter.

This is why I tried the rule:

alert tcp any any -> any any (msg:""; content:"Windows NT"; ...)

but seems no to work.

I don not know if this could help a bit more.

Thanks for your time

-- 
Borja Luaces Altares
Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120509/81d67deb/attachment.html>


More information about the Snort-users mailing list