--On Tuesday, February 14, 2006 15:53:02 -0600 Paul Schmehl
<pauls@utdallas.edu> wrote:
No, I want to capture more of the same packet. Not the entire
conversation.
Apparently I can't communicate. Let's try this again.
Here's the portion of the rule that captures packet content:
content:"{a 16 digit number goes here}"; content:"pass";
Here's the last portion of a packet:
1d0 : 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 35 ontent-Length: 5
1e0 : 36 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 6..Connection: K
1f0 : 65 65 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 eep-Alive..Cache
200 : 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 -Control: no-cac
210 : 68 65 0D 0A 0D 0A 75 72 6C 3D 25 35 45 55 26 75 he....url=%5EU&u
220 : 73 65 72 3D 36 30 33 36 37 39 30 30 30 30 33 30 ser=603679000030
230 : 31 31 32 30 26 70 61 73 73 3D 26 53 55 42 4D 49 1120&pass=&SUBMI
240 : 54 3D 53 75 62 6D 69 74 2B 51 75 65 72 79 0D 0A T=Submit+Query..
As you can see, only one additional line of data is captured after pass=.
I'd like to capture more of the packet, so that I can see exactly what the
attackers are trying to do - is this a sql overflow attempt? Some sort of
sql query? Something else?
Here's another packet that had a bit more info:
Cont
1c0 : 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 33 33 0D ent-Length: 133.
1d0 : 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 .Connection: Kee
1e0 : 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43 p-Alive..Cache-C
1f0 : 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 ontrol: no-cache
200 : 0D 0A 0D 0A 75 72 6C 3D 25 35 45 55 26 75 73 65 ....url=%5EU&use
210 : 72 3D 36 30 33 36 37 39 30 30 30 30 33 30 31 31 r=60367900003011
220 : 32 30 26 70 61 73 73 3D 73 6D 69 74 68 26 53 55 20&pass=smith&SU
230 : 42 4D 49 54 3D 25 32 36 25 32 33 32 35 35 35 32 BMIT=%26%2325552
240 : 25 33 42 25 32 36 25 32 33 32 30 31 33 32 25 33 %3B%26%2320132%3
250 : 42 25 32 36 25 32 33 32 36 35 39 37 25 33 42 25 B%26%2326597%3B%
260 : 32 36 25 32 33 33 35 38 31 30 25 33 42 25 32 36 26%2335810%3B%26
270 : 25 32 33 32 30 38 36 39 25 33 42 25 32 36 25 32 %2320869%3B%26%2
280 : 33 32 33 34 38 31 25 33 42 0D 0A 323481%3B..
So, I'd like to capture the entire query, but not all of them will have the
SUBMIT after pass=.
Does that clarify sufficiently?
I thought maybe distance would do it, but I'm not sure.
content:"blah"; content:"pass"; distance:4,relative; ??
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
