Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Nils Ulltveit-Moe (num_at_proseq.no)
Date: Mon Jan 27 2003 - 04:22:04 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Have any of you experienced "payload mixup" with Snort 1.9.0? In our
    case, it is the "ICMP redirect host" rule (SID 472) that seems to
    display strange payload. In the three cases below, it seems that
    telnet or HTTP sessions are mixed with HTTP traffic from another
    session as the content of the ICMP message:

    (The data is anonymised)

    Example 1:
    ÿŽyE[NUL][STX][DC3]¿[NUL]q[ACK]¶YÕ͘YÿŽy[NUL]P[HT]‘,[FF]-aK6Ï8P[DLE]ù[EOT]æÜ[NUL][NUL]ft }.clsTableDataJustify{ BACKGROUND-COLOR: #eeeeee; FONT-WEIGHT: bold; TEXT-ALIGN: justify }.clsTableDataCenter{ BACKGROUND-COLOR: #eeeeee; FONT-WEIGHT: bold; TEXT-ALIGN: center }.clsTableTextTitle{ FONT-WEIGHT: bold; TEXT-ALIGN: left }.clsTableTextRight{ TEXT-ALIGN: right }.clsTableTextLeft{ TEXT-ALIGN: left }.clsTableTextJustify{ TEXT-ALIGN: justify }.clsTableDataColTitle{ COLOR: #333366; BACKGROUND-COLOR: #9999cc; FONT-SIZE: 11px; FONT-WEIGHT: bold; TEXT-ALIGN: left }.clsTableDataCol{ BACKGROUND-COL

    Example 2
    ÿŽyE[NUL][SOH]“[FF][FF][NUL]q[ACK]¾½Õ͘UÿŽy[NUL]P[HT]Ž[SO]K[NAK]dK+Ó<P[CAN]ù¢à´[NUL][NUL]HTTP/1.1 302 Object Moved[CR][LF]Location: http://xxx.xxx.com/redirect.asp?frmSiteStyleId=101234[CR][LF]Server: Microsoft-IIS/5.0[CR][LF]Content-Type: text/html[CR][LF]Content-Length: 186[CR][LF][CR][LF]<head><title>Document Moved</title></head>[LF]<body><h1>Object Moved</h1>This document may be found <a HREF="http://xxx.xxx.com/redirect.asp?frmSiteStyleId=101234">here</a></body>

    Example 3
     Doc A > GET /ddapp-images/blank.gif HTTP/1.1[CR][LF]
     Doc A > Accept: */*[CR][LF]
     Doc A > Referer: http://xxx.xxxxxxxxxxxx.com/[CR][LF]
     Doc A > Accept-Language: en-us[CR][LF]
     Doc A > Accept-Encoding: gzip, deflate[CR][LF]
     Doc A > User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)[CR][LF]
     Doc A > Host: xxx.xxxxxxxxxxxx.com[CR][LF]
     Doc A > Connection: Keep-Alive[CR][LF]
    Garbage> ckeCountryId=100[CR][LF][CR]lor:#4e4e4e}[CR][LF]
     Doc B > </style>[CR][LF]
     Doc B > [CR][LF]
     Doc B > [CR][LF]
     Doc B > <title>The page cannot be found</title>
     Doc B > [CR][LF]
     Doc B > [CR][LF]
     Doc B > <META HTTP-EQUIV="Content-Type" Content="text-html;
     Doc B > charset=Windows-1252">[CR][LF]
     Doc B > </head>[CR][LF]
     Doc B > [CR][LF]
     Doc B > <script>
     Doc B > [CR][LF]
     Doc B > function Homepage(){[CR][LF]
     Doc B > <!--[CR][LF]// in real bits, urlsget

    Here two documents are mixed together, with some garbage between.

    Have you got any clue what this may be?

    Nils Ulltveit-Moe

    This SF.NET email is sponsored by:
    SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
    Snort-users mailing list
    Go to this URL to change user options or unsubscribe:
    Snort-users list archive: