[Snort-users] Fwd: How to detect OS with Snort?

Borja Luaces borja.luaces at ...11827...
Wed May 9 06:51:46 EDT 2012

Hello all,

This is a burp capture of the post request that the phisher could be using
(this one has been created in a lab environment).

As you can see, in the User-Agent field, we can find the OS that is
supossed to be using.

POST /DFAUTH/slod/validaENOB.jsp HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: PD_STATEFUL_f8965e46-de88-11e0-a137-0050568e208f=%2FENOB;
Content-Type: application/x-www-form-urlencoded
Content-Length: 132


The idea is launch an alert using that parameter.

This is why I tried the rule:

alert tcp any any -> any any (msg:""; content:"Windows NT"; ...)

but seems no to work.

I don not know if this could help a bit more.

Thanks for your time

Borja Luaces Altares
Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120509/81d67deb/attachment.html>

More information about the Snort-users mailing list