OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nils Ulltveit-Moe (num_at_proseq.no)
Date: Mon Jan 27 2003 - 04:22:04 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi

    Have any of you experienced "payload mixup" with Snort 1.9.0? In our
    case, it is the "ICMP redirect host" rule (SID 472) that seems to
    display strange payload. In the three cases below, it seems that
    telnet or HTTP sessions are mixed with HTTP traffic from another
    session as the content of the ICMP message:

    (The data is anonymised)

    Example 1:
    ----------
    ÿŽyE[NUL][STX][DC3]¿[NUL]q[ACK]¶YÕ͘YÿŽy[NUL]P[HT]‘,[FF]-aK6Ï8P[DLE]ù[EOT]æÜ[NUL][NUL]ft }.clsTableDataJustify{ BACKGROUND-COLOR: #eeeeee; FONT-WEIGHT: bold; TEXT-ALIGN: justify }.clsTableDataCenter{ BACKGROUND-COLOR: #eeeeee; FONT-WEIGHT: bold; TEXT-ALIGN: center }.clsTableTextTitle{ FONT-WEIGHT: bold; TEXT-ALIGN: left }.clsTableTextRight{ TEXT-ALIGN: right }.clsTableTextLeft{ TEXT-ALIGN: left }.clsTableTextJustify{ TEXT-ALIGN: justify }.clsTableDataColTitle{ COLOR: #333366; BACKGROUND-COLOR: #9999cc; FONT-SIZE: 11px; FONT-WEIGHT: bold; TEXT-ALIGN: left }.clsTableDataCol{ BACKGROUND-COL

    Example 2
    ----------
    ÿŽyE[NUL][SOH]“[FF][FF][NUL]q[ACK]¾½Õ͘UÿŽy[NUL]P[HT]Ž[SO]K[NAK]dK+Ó<P[CAN]ù¢à´[NUL][NUL]HTTP/1.1 302 Object Moved[CR][LF]Location: http://xxx.xxx.com/redirect.asp?frmSiteStyleId=101234[CR][LF]Server: Microsoft-IIS/5.0[CR][LF]Content-Type: text/html[CR][LF]Content-Length: 186[CR][LF][CR][LF]<head><title>Document Moved</title></head>[LF]<body><h1>Object Moved</h1>This document may be found <a HREF="http://xxx.xxx.com/redirect.asp?frmSiteStyleId=101234">here</a></body>

    Example 3
    ---------
     Doc A > GET /ddapp-images/blank.gif HTTP/1.1[CR][LF]
     Doc A > Accept: */*[CR][LF]
     Doc A > Referer: http://xxx.xxxxxxxxxxxx.com/[CR][LF]
     Doc A > Accept-Language: en-us[CR][LF]
     Doc A > Accept-Encoding: gzip, deflate[CR][LF]
     Doc A > User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)[CR][LF]
     Doc A > Host: xxx.xxxxxxxxxxxx.com[CR][LF]
     Doc A > Connection: Keep-Alive[CR][LF]
     Doc A > Cookie: XXXXXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXX;
    Garbage> ckeCountryId=100[CR][LF][CR]lor:#4e4e4e}[CR][LF]
     Doc B > </style>[CR][LF]
     Doc B > [CR][LF]
     Doc B > <META NAME="ROBOTS" CONTENT="NOINDEX">[CR][LF]
     Doc B > [CR][LF]
     Doc B > <title>The page cannot be found</title>
     Doc B > [CR][LF]
     Doc B > [CR][LF]
     Doc B > <META HTTP-EQUIV="Content-Type" Content="text-html;
     Doc B > charset=Windows-1252">[CR][LF]
     Doc B > </head>[CR][LF]
     Doc B > [CR][LF]
     Doc B > <script>
     Doc B > [CR][LF]
     Doc B > function Homepage(){[CR][LF]
     Doc B > <!--[CR][LF]// in real bits, urlsget

    Here two documents are mixed together, with some garbage between.

    Have you got any clue what this may be?

    Mvh.
    Nils Ulltveit-Moe

    -------------------------------------------------------
    This SF.NET email is sponsored by:
    SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
    http://www.vasoftware.com
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users