tag:blogger.com,1999:blog-12783726.post114674977570275211..comments2024-02-19T16:39:32.319+08:00Comments on When {Puffy} Meets ^RedDevil^: Snort - Rule WritingC.S.Leehttp://www.blogger.com/profile/10778262436985693992noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-12783726.post-82397808198886502372011-05-31T22:21:16.422+08:002011-05-31T22:21:16.422+08:00So, in my assignment I have to detect a request of...So, in my assignment I have to detect a request of webpage containing "Exam" in the title tag. I found out that the html code is encoded with gzip, and then being sent. I used <b>rawbytes</b> but it didn't work. Can you please help me in this case?t3chamngoannoreply@blogger.comtag:blogger.com,1999:blog-12783726.post-1147155120590876452006-05-09T14:12:00.000+08:002006-05-09T14:12:00.000+08:00sputera,You don't have to worry of that part, if y...sputera,<BR/><BR/>You don't have to worry of that part, if you are talking about unicode stuffs, the http normalization will do it all for you.C.S.Leehttps://www.blogger.com/profile/10778262436985693992noreply@blogger.comtag:blogger.com,1999:blog-12783726.post-1147105872361562002006-05-09T00:31:00.000+08:002006-05-09T00:31:00.000+08:00thanks for your explaination.thanks for your explaination.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-12783726.post-1147105255859794542006-05-09T00:20:00.000+08:002006-05-09T00:20:00.000+08:00geek00l,thanks for your reply. i understand that e...geek00l,<BR/><BR/>thanks for your reply. i understand that especially the payload but... let say that the attacker really using HEX code to attack (e.g in URL). Lets assume this.<BR/><BR/>I have one vulnerable machine. And the attacker try to get the passwd info. Rather than he/she use this code:<BR/><BR/>http://vulnerable/index.php?file=etc/passwd<BR/><BR/>The attacker use this code with hex:-<BR/><BR/>http://vulnerable/%69%6e%64%65%78%2e%70%68%70%3f%66%69%6c%65%3d%65%74%63%2f%70%61%73%73%77%64<BR/><BR/>How snort detect it? Is there any preprocessor inside snort to translate it?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-12783726.post-1146788917431032942006-05-05T08:28:00.000+08:002006-05-05T08:28:00.000+08:00joel,Thanks for the comment :). It is always nice ...joel,<BR/><BR/>Thanks for the comment :). It is always nice to hear from you.C.S.Leehttps://www.blogger.com/profile/10778262436985693992noreply@blogger.comtag:blogger.com,1999:blog-12783726.post-1146773647506946392006-05-05T04:14:00.000+08:002006-05-05T04:14:00.000+08:00Besides the fact that it makes it easier to read. ...Besides the fact that it makes it easier to read. ;)<BR/><BR/>Small correction Geek...<BR/><BR/>You use "rawbytes" in the rule. If you use rawbytes it gets this data from the global DecodeBuffer. The only thing that writes to to the global DecodeBuffer is the telnet preprocessor. Therefore, you don't need it at all (unless you are analyzing telnet traffic, which, you aren't)<BR/><BR/>On a second note, anytime you are going to do a content match for a metacharacter that you would have to escape inside of a content buffer, it's good to specify the hex equiv. (Those characters are : ; \ and ". However, since cmd.exe is being looked for in the uri, the http_inspect preproc will decode that for ya. So uricontent:"cmd.exe"; nocase; would be appropriate. It prevents obfuscation and it keeps your sanity.Joel Eslerhttps://www.blogger.com/profile/05018134738510159518noreply@blogger.com