OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Frank Knobbe (fknobbe_at_knobbeits.com)
Date: Sun Feb 02 2003 - 23:15:18 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I recently caught the packet below with Snort 1.9 compiled Jan 29 from
    CVS. It lists some weird content. The upper half looks like a valid HTTP
    requests (I verified that that image exists and is indeed called from
    the referring page). The bottom half looks like a snippet from an email,
    which would explain why this packet triggered on port 25.

    Has anyone seen a similar mangled packet? Is there a bug in Snort where
    the packet buffer gets overwritten half-way?

    Thanks,
    Frank

    [**] P2P GNUTella GET [**]
    01/31-14:05:51.391716 x.x.x.x:3397 -> 64.75.1.245:25
    TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:701
    ***AP*** Seq: 0xD2CFAF7D Ack: 0x9A3207E Win: 0x60F4 TcpLen: 20
    47 45 54 20 2F 69 6D 61 67 65 73 2F 67 6C 6F 62 GET /images/glob
    61 6C 2F 6D 61 73 74 68 65 61 64 2F 74 61 62 5F al/masthead/tab_
    66 6C 73 2E 67 69 66 20 48 54 54 50 2F 31 2E 30 fls.gif HTTP/1.0
    0D 0A 56 69 61 3A 20 31 2E 30 20 4C 4F 56 45 42 ..Via: 1.0 LOVEB
    4F 41 54 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A OAT..User-Agent:
    20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F Mozilla/4.0 (co
    6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 mpatible; MSIE 5
    2E 35 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 34 .5; Windows NT 4
    2E 30 29 0D 0A 48 6F 73 74 3A 20 64 69 2E 64 65 .0)..Host: di.de
    6C 6C 2E 63 6F 6D 0D 0A 41 63 63 65 70 74 3A 20 ll.com..Accept:
    2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 */*..Referer: ht
    74 70 3A 2F 2F 77 77 77 2E 64 65 6C 6C 2E 63 6F tp://www.dell.co
    6D 2F 75 73 2F 65 6E 2F 64 68 73 2F 74 6F 70 69 m/us/en/dhs/topi
    63 73 2F 73 65 67 74 6F 70 69 63 5F 72 65 62 61 cs/segtopic_reba
    74 65 73 2E 68 74 6D 0D 0A 41 63 63 65 70 74 2D tes.htm..Accept-
    4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 20 20 20 Language: en-

    Up til here is appears to be the top of a web request for a
    web page image. The image name is valid and is indeed linked
    from the referrer. But what follows appears to be an email
    fragment. Note the destination port on top being 25.

    20 77 6F 75 6C 64 20 xx xx xx xx xx 20 68 61 76 would xxxxx hav
    65 20 74 6F 20 70 75 72 63 68 61 73 65 20 4B 6E e to purchase Kn
    6F 77 6C 65 64 67 65 20 42 61 73 65 20 66 6F 72 owledge Base for
    20 69 74 73 20 65 6E 74 69 72 65 20 63 6F 72 70 its entire corp
    6F 72 61 74 65 20 0D 0A 20 20 20 20 6C 69 63 65 orate .. lice
    6E 73 65 3F 20 28 49 66 20 73 6F 2C 20 63 61 6E nse? (If so, can
    20 79 6F 75 20 67 69 76 65 20 6D 65 20 61 6E 20 you give me an
    69 64 65 61 20 6F 66 20 74 6F 74 61 6C 20 63 6F idea of total co
    73 74 20 6F 72 20 63 6F 73 74 20 74 6F 20 xx xx st or cost to xx
    xx xx xx xx xx xx xx 20 0D 0A 20 20 20 20 61 6E xxxxxxx .. an
    64 20 6C 69 6B 65 6C 69 68 6F 6F 64 20 6F 66 20 d likelihood of
    74 68 65 20 63 6F 6D 70 61 6E 79 20 64 6F 69 6E the company doin
    67 20 74 68 61 74 3F 29 3C 2F 46 4F 4E 54 3E 3C g that?)</FONT><
    2F 50 3E 0D 0A 20 20 20 20 3C 50 3E 3C 46 4F 4E /P>.. <P><FON
    54 20 73 69 7A 65 3D 32 3E 54 68 69 72 64 2C 20 T size=2>Third,
    69 66 20 77 65 20 61 72 65 20 6F 70 65 72 61 74 if we are operat
    69 6E 67 20 xx xx xx xx xx xx 20 6F 75 74 20 6F ing xxxxxx out o
    66 20 74 68 65 20 44 4D 5A 2C 20 77 6F 75 6C 64 f the DMZ, would
    20 77 65 20 0D 0A 20 20 20 20 64 65 66 69 6E 69 we .. defini
    74 65 6C 79 20 62 65 20 61 62 6C 65 20 74 6F 20 tely be able to
    73 68 61 72 65 20 61 70 70 6C 69 63 61 74 69 6F share applicatio
    6E 73 20 28 77 65 20 77 61 6E 74 20 74 6F 20 73 ns (we want to s
    68 61 72 65 20 74 68 65 69 72 73 2C 20 6E 6F 74 hare theirs, not
    20 68 61 76 65 20 0D 0A 20 20 20 20 74 68 65 6D have .. them
    20 73 68 61 72 65 20 6F 75 72 73 20 73 6F 20 64 share ours so d
    69 73 61 62 6C isabl

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (FreeBSD)

    iD8DBQA+Pfrmpo+MRgtrF98RAloRAKCiqVjyzjpqa843nP5Hv8LAGXBehwCg6pAi
    U76ZIm09tz3Qx2NMN6Yj18M=
    =3HAU
    -----END PGP SIGNATURE-----

    -------------------------------------------------------
    This SF.NET email is sponsored by:
    SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
    http://www.vasoftware.com
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users