Paul,
That may be all there is in the packet. Try running Snort in packet
dump mode (or tcpdump) along side Snort at the same time these
packets are alerting your IDS. Make sure you have snaplen set to 0 (-
s 0), and then compare the two.
That may be all there is.
Snort captures the full snaplen of the packet by default, so unless
you want to use tag to get the whole session, whatever is in the
alert, is what it is in the packet.
J
On Feb 14, 2006, at 5:20 PM, Paul Schmehl wrote:
--On Tuesday, February 14, 2006 15:53:02 -0600 Paul Schmehl
<pauls@utdallas.edu> wrote:
No, I want to capture more of the same packet. Not the entire
conversation.
Apparently I can't communicate. Let's try this again.
Here's the portion of the rule that captures packet content:
content:"{a 16 digit number goes here}"; content:"pass";
Here's the last portion of a packet:
1d0 : 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 35 ontent-
Length: 5
1e0 : 36 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B
6..Connection: K
1f0 : 65 65 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 eep-
Alive..Cache
200 : 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 -Control:
no-cac
210 : 68 65 0D 0A 0D 0A 75 72 6C 3D 25 35 45 55 26 75 he....url=%
5EU&u
220 : 73 65 72 3D 36 30 33 36 37 39 30 30 30 30 33 30
ser=603679000030
230 : 31 31 32 30 26 70 61 73 73 3D 26 53 55 42 4D 49
1120&pass=&SUBMI
240 : 54 3D 53 75 62 6D 69 74 2B 51 75 65 72 79 0D 0A T=Submit
+Query..
As you can see, only one additional line of data is captured after
pass=.
I'd like to capture more of the packet, so that I can see exactly
what the attackers are trying to do - is this a sql overflow
attempt? Some sort of sql query? Something else?
Here's another packet that had a bit more info:
Cont
1c0 : 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 33 33 0D ent-Length:
133.
1d0 : 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65
65 .Connection: Kee
1e0 : 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43 p-
Alive..Cache-C
1f0 : 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 ontrol: no-
cache
200 : 0D 0A 0D 0A 75 72 6C 3D 25 35 45 55 26 75 73 65 ....url=%
5EU&use
210 : 72 3D 36 30 33 36 37 39 30 30 30 30 33 30 31 31
r=60367900003011
220 : 32 30 26 70 61 73 73 3D 73 6D 69 74 68 26 53 55
20&pass=smith&SU
230 : 42 4D 49 54 3D 25 32 36 25 32 33 32 35 35 35 32 BMIT=%26%
2325552
240 : 25 33 42 25 32 36 25 32 33 32 30 31 33 32 25 33 %3B%26%
2320132%3
250 : 42 25 32 36 25 32 33 32 36 35 39 37 25 33 42 25 B%26%
2326597%3B%
260 : 32 36 25 32 33 33 35 38 31 30 25 33 42 25 32 36 26%2335810%
3B%26
270 : 25 32 33 32 30 38 36 39 25 33 42 25 32 36 25 32 %2320869%3B%
26%2
280 : 33 32 33 34 38 31 25 33 42 0D 0A 323481%3B..
So, I'd like to capture the entire query, but not all of them will
have the SUBMIT after pass=.
Does that clarify sufficiently?
I thought maybe distance would do it, but I'm not sure.
content:"blah"; content:"pass"; distance:4,relative; ??
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through
log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD
SPLUNK!
http://sel.as-us.falkag.net/sel?
cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
