Saturday, March 29, 2008

Pads: Nginx Sig

I read about misuse of nginx web/proxy server in Emerging Threats here. Jonkman has added the snort signature for it but I think I can write the Pads signature for it. After some testing it seems I have the signature written and works pretty well. Here it is -

www,v/Nginx/$1//,\x0d\x0aServer: nginx\/([\S]+)\x0d\x0a

I added this signature to pads-signature-list, then run Pads -

shell>sudo pads -i le0 -n -c pads.conf
pads - Passive Asset Detection System
v1.2 - 06/17/05
Matt Shelton

[-] Filter: (null)
[-] Listening on interface eth1

[*] Asset Found: IP Address - / MAC Address - 0:1B:77:5B:F4:3F
[*] Asset Found: Port - 80 / Host - / Service - www / Application - nginx/0.5.26

It able to track the version of nginx that I run as well, this is pretty useful if you discover there's nginx server running in your network. One interesting thing I have figured is that nginx supports gzip encoding so you can't see the web contents in plain text and this maybe one of the reason why it is used by the blackhats.

Cheers (;])


Shirkdog said...
This comment has been removed by the author.
Shirkdog said...

Find a vendor who can actually process gzipped encoded web traffic, and not just what they have printed on paper that says they can.