[Snort-users] Fwd: How to detect OS with Snort?
kevross33 at ...14012...
Wed May 9 07:20:23 EDT 2012
If is is indeed user agent you want to detect then do:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVER $HTTP_PORTS (msg:"Inbound
Windows User Agent Detected"; flow:established,to_server; content:"Windows
NT"; nocase; http_header;
classtype:bad-unknown; sid:191001; rev:1;)
Now this signature should detect the Windows XP user agent accurately
depending on your sensor placement (are you monitoring inside or outside
interface of a firewall?), your snort configuration, if you can see the
traffic (if it is IDS you need to SPAN the port to see the traffic etc). If
you do snort -dev -i YOURINTERFACE or if you have tcpdump just tcpdump -i
YOURINTERFACE to check you can see the traffic. Hope this helps you a bit.
On 9 May 2012 11:51, Borja Luaces <borja.luaces at ...11827...> wrote:
> Hello all,
> This is a burp capture of the post request that the phisher could be using
> (this one has been created in a lab environment).
> As you can see, in the User-Agent field, we can find the OS that is
> supossed to be using.
> POST /DFAUTH/slod/validaENOB.jsp HTTP/1.1
> Host: XXXXXX
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate
> DNT: 1
> Connection: keep-alive
> Cookie: PD_STATEFUL_f8965e46-de88-11e0-a137-0050568e208f=%2FENOB;
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 132
> The idea is launch an alert using that parameter.
> This is why I tried the rule:
> alert tcp any any -> any any (msg:""; content:"Windows NT"; ...)
> but seems no to work.
> I don not know if this could help a bit more.
> Thanks for your time
> Borja Luaces Altares
> Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users