Hi

Have any of you experienced "payload mixup" with Snort 1.9.0? In our
case, it is the "ICMP redirect host" rule (SID 472) that seems to
display strange payload. In the three cases below, it seems that
telnet or HTTP sessions are mixed with HTTP traffic from another
session as the content of the ICMP message:

(The data is anonymised)

Example 1:
----------
ÿŽyE[NUL][STX][DC3]¿[NUL]q[ACK]¶YÕ͘YÿŽy[NUL]P[HT]‘,[FF]-aK6Ï8P[DLE]ù[EOT]æÜ[NUL][NUL]ft }.clsTableDataJustify{ BACKGROUND-COLOR: #eeeeee; FONT-WEIGHT: bold; TEXT-ALIGN: justify }.clsTableDataCenter{ BACKGROUND-COLOR: #eeeeee; FONT-WEIGHT: bold; TEXT-ALIGN: center }.clsTableTextTitle{ FONT-WEIGHT: bold; TEXT-ALIGN: left }.clsTableTextRight{ TEXT-ALIGN: right }.clsTableTextLeft{ TEXT-ALIGN: left }.clsTableTextJustify{ TEXT-ALIGN: justify }.clsTableDataColTitle{ COLOR: #333366; BACKGROUND-COLOR: #9999cc; FONT-SIZE: 11px; FONT-WEIGHT: bold; TEXT-ALIGN: left }.clsTableDataCol{ BACKGROUND-COL

Example 2
----------
ÿŽyE[NUL][SOH]“[FF][FF][NUL]q[ACK]¾½Õ͘UÿŽy[NUL]P[HT]Ž[SO]K[NAK]dK+Ó<P[CAN]ù¢à´[NUL][NUL]HTTP/1.1 302 Object Moved[CR][LF]Location: http://xxx.xxx.com/redirect.asp?frmSiteStyleId=101234[CR][LF]Server: Microsoft-IIS/5.0[CR][LF]Content-Type: text/html[CR][LF]Content-Length: 186[CR][LF][CR][LF]<head><title>Document Moved</title></head>[LF]<body><h1>Object Moved</h1>This document may be found <a HREF="http://xxx.xxx.com/redirect.asp?frmSiteStyleId=101234">here</a></body>

Example 3
---------
 Doc A > GET /ddapp-images/blank.gif HTTP/1.1[CR][LF]
 Doc A > Accept: */*[CR][LF]
 Doc A > Referer: http://xxx.xxxxxxxxxxxx.com/[CR][LF]
 Doc A > Accept-Language: en-us[CR][LF]
 Doc A > Accept-Encoding: gzip, deflate[CR][LF]
 Doc A > User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)[CR][LF]
 Doc A > Host: xxx.xxxxxxxxxxxx.com[CR][LF]
 Doc A > Connection: Keep-Alive[CR][LF]
 Doc A > Cookie: XXXXXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXX;
Garbage> ckeCountryId=100[CR][LF][CR]lor:#4e4e4e}[CR][LF]
 Doc B > </style>[CR][LF]
 Doc B > [CR][LF]
 Doc B > <META NAME="ROBOTS" CONTENT="NOINDEX">[CR][LF]
 Doc B > [CR][LF]
 Doc B > <title>The page cannot be found</title>
 Doc B > [CR][LF]
 Doc B > [CR][LF]
 Doc B > <META HTTP-EQUIV="Content-Type" Content="text-html;
 Doc B > charset=Windows-1252">[CR][LF]
 Doc B > </head>[CR][LF]
 Doc B > [CR][LF]
 Doc B > <script>
 Doc B > [CR][LF]
 Doc B > function Homepage(){[CR][LF]
 Doc B > <!--[CR][LF]// in real bits, urlsget

Here two documents are mixed together, with some garbage between.

Have you got any clue what this may be?

Mvh.
Nils Ulltveit-Moe

-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]