[Snort-users] Fwd: How to detect OS with Snort?

Kevin Ross kevross33 at ...14012...
Wed May 9 07:20:23 EDT 2012

If is is indeed user agent you want to detect then do:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVER $HTTP_PORTS (msg:"Inbound
Windows User Agent Detected"; flow:established,to_server; content:"Windows
NT"; nocase; http_header;
classtype:bad-unknown; sid:191001; rev:1;)

Now this signature should detect the Windows XP user agent accurately
depending on your sensor placement (are you monitoring inside or outside
interface of a firewall?), your snort configuration, if you can see the
traffic (if it is IDS you need to SPAN the port to see the traffic etc). If
you do snort -dev -i YOURINTERFACE or if you have tcpdump just tcpdump -i
YOURINTERFACE to check you can see the traffic. Hope this helps you a bit.

Kind Regards,
Kevin Ross

On 9 May 2012 11:51, Borja Luaces <borja.luaces at ...11827...> wrote:

> Hello all,
> This is a burp capture of the post request that the phisher could be using
> (this one has been created in a lab environment).
> As you can see, in the User-Agent field, we can find the OS that is
> supossed to be using.
> POST /DFAUTH/slod/validaENOB.jsp HTTP/1.1
> Host: XXXXXX
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101
> Firefox/12.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate
> DNT: 1
> Connection: keep-alive
> Referer:XXXXXX/local_enob/index-nico.html
> Cookie: PD_STATEFUL_f8965e46-de88-11e0-a137-0050568e208f=%2FENOB;
> PD-S-SESSION-ID=2_otTvVkNKOexXvR3-MevmOq3Lj04OyrUUHpXwWCmEjhy4KfIv
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 132
> origen=enob&eai_tipoCP=up&eai_URLDestino=&idioma=CAS&iconizable=N&eai_user=test_user&eai_password=test_p&selProductos=posicionGlobal
> The idea is launch an alert using that parameter.
> This is why I tried the rule:
> alert tcp any any -> any any (msg:""; content:"Windows NT"; ...)
> but seems no to work.
> I don not know if this could help a bit more.
> Thanks for your time
> --
> Borja Luaces Altares
> Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120509/d27b85e4/attachment.html>

More information about the Snort-users mailing list