[Snort-users] Fwd: How to detect OS with Snort?

Paul Schmehl pschmehl_lists at ...14358...
Wed May 9 10:28:01 EDT 2012


If those are his authentication credentials, it hardly matters if he posts 
them publicly or not.

--On May 9, 2012 12:19:14 PM +0100 Peter Bates <peter.bates at ...15381...> 
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> On 09/05/2012 11:51, Borja Luaces wrote:
>> origen=enob&eai_tipoCP=up&eai_URLDestino=&idioma=CAS&iconizable=N&eai_us
>> er=test_user&eai_password=test_p&selProductos=posicionGlobal
>>
>>  The idea is launch an alert using that parameter.
>>
>> This is why I tried the rule:
>>
>> alert tcp any any -> any any (msg:""; content:"Windows NT"; ...)
>>
>> but seems no to work.
>
> Just to clarify, you're posting authentication details in the clear, here?
>
> Is the Snort sensor actually running on the website that you are
> monitoring?
>
> - --
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division	    Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJPqlKyAAoJELhVoVpEMS6RO5EH/jV1SQzpFCG9ERGM7VMeiXp+
> JpmTPAPvn5W0XwNLMvkLbStsD79HfOsQCtYzYUVEly4NFvfrzrj3ROFRKHj1ZjQL
> G2yo/PIb0YouE4NtK37M7/4iLkODQPXfI7qW6NLVFhUTw2q02VK5gFlinDYF/wNV
> aZvkWfN2zne45I+0N3qKEtFINE3YkSlRlNOCLm+GoqhCqZK1wJ2Sy13FGG4t4yO5
> ryLZbIaSe9Gac56vwYsFBSZJcFnTnC8Z/J6iKR1FjK+WTEobPu7TgsN7Z/cbty5v
> Aqr2oDdNYPvWyCvXVnl/mWZvsEhsYDsbUKgV7KeNHE9qOiUPONgNYaK9PkkAAwM=
> =BUtp
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------------------------
> ----- Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell





More information about the Snort-users mailing list