Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane

From: Francis Trudeau <ftrudeau-KR6O7HwU5NEm7effSn6vN9HuzzzSOjJt <at> public.gmane.org>
Subject: Re: warn The Moon sig not work ?
Newsgroups: gmane.comp.security.ids.snort.emerging-sigs
Date: Monday 17th February 2014 17:45:37 UTC (over 4 years ago)
One of our guys wrote this last week.

It is likely he was working off this:

http://www.sourcesec.com/Lab/dlink_hnap_captcha.pdf

In that PDF, the initial HNAP1 request doesn't have these fields.

I will talk to him and see what his thoughts were.

ft


On Mon, Feb 17, 2014 at 8:04 AM, rmkml 
wrote:

> Hi,
>
> Could you check if this sig work please ?
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM
> TheMoon.linksys.router 1"; flow:to_server,established; urilen:7;
> content:"GET"; http_method; content:"/HNAP1/"; http_uri;
> content:!"User-Agent|3a| "; nocase; http_header; content:!"Accept|3a| ";
> nocase; http_header; content:!"Referer|3a| "; nocase; http_header;
> pcre:"/Host\x3a (?:[0-9]{1,3}\.){3}[0-9]{1,3}/H"; reference:url,
> isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630;
> classtype:trojan-activity; sid:2018131; rev:1;)
>
> because User-Agent and Referer exist on The Moon request...
>
> Regards
> @Rmkml
> _______________________________________________
> Emerging-sigs mailing list
>
[email protected].gmane.org
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
>
 
CD: 17ms