[Snort-users] Fwd: How to detect OS with Snort?

Borja Luaces borja.luaces at ...11827...
Wed May 9 11:37:46 EDT 2012


Of course test_user and test_p are not the credentials :P

Those are just for the capture.


On Wed, May 9, 2012 at 4:28 PM, Paul Schmehl <pschmehl_lists at ...14358...>wrote:

> If those are his authentication credentials, it hardly matters if he posts
> them publicly or not.
>
> --On May 9, 2012 12:19:14 PM +0100 Peter Bates <peter.bates at ...15381...>
> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > Hello all
> >
> > On 09/05/2012 11:51, Borja Luaces wrote:
> >> origen=enob&eai_tipoCP=up&eai_URLDestino=&idioma=CAS&iconizable=N&eai_us
> >> er=test_user&eai_password=test_p&selProductos=posicionGlobal
> >>
> >>  The idea is launch an alert using that parameter.
> >>
> >> This is why I tried the rule:
> >>
> >> alert tcp any any -> any any (msg:""; content:"Windows NT"; ...)
> >>
> >> but seems no to work.
> >
> > Just to clarify, you're posting authentication details in the clear,
> here?
> >
> > Is the Snort sensor actually running on the website that you are
> > monitoring?
> >
> > - --
> > Peter Bates
> > Senior Computer Security Officer    Phone: +44(0)2076792049
> > Information Services Division     Internal Ext: 32049
> > University College London
> > London WC1E 6BT
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.17 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iQEcBAEBAgAGBQJPqlKyAAoJELhVoVpEMS6RO5EH/jV1SQzpFCG9ERGM7VMeiXp+
> > JpmTPAPvn5W0XwNLMvkLbStsD79HfOsQCtYzYUVEly4NFvfrzrj3ROFRKHj1ZjQL
> > G2yo/PIb0YouE4NtK37M7/4iLkODQPXfI7qW6NLVFhUTw2q02VK5gFlinDYF/wNV
> > aZvkWfN2zne45I+0N3qKEtFINE3YkSlRlNOCLm+GoqhCqZK1wJ2Sy13FGG4t4yO5
> > ryLZbIaSe9Gac56vwYsFBSZJcFnTnC8Z/J6iKR1FjK+WTEobPu7TgsN7Z/cbty5v
> > Aqr2oDdNYPvWyCvXVnl/mWZvsEhsYDsbUKgV7KeNHE9qOiUPONgNYaK9PkkAAwM=
> > =BUtp
> > -----END PGP SIGNATURE-----
> >
> >
> > -------------------------------------------------------------------------
> > ----- Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
>
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Borja Luaces Altares
Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120509/a828dc36/attachment.html>


More information about the Snort-users mailing list