Snort mailing list archives
problems with packet logs on 1.8.2
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Wed, 28 Nov 2001 17:00:07 +1300 (NZDT)
Hi All, I am getting some grabage in packet captures, here is an example: [**] WEB-IIS cmd.exe access [**] 11/28-15:18:41.518117 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x27D 210.55.38.206:1180 -> 130.216.191.67:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:623 ***AP*** Seq: 0x78406864 Ack: 0x2AA275 Win: 0x40E8 TcpLen: 20 65 3A 30 78 30 20 6C 65 6E 3A 30 78 32 35 33 0D e:0x0 len:0x253. 0A 32 30 33 2E 39 36 2E 39 33 2E 38 39 3A 31 33 .203.96.93.89:13 36 35 20 2D 3E 20 31 33 30 2E 32 31 36 2E 31 39 65 -> 130.216.19 31 2E 36 37 3A 38 30 20 54 43 50 20 54 54 4C 3A 1.67:80 TCP TTL: 32 34 30 20 54 4F 53 3A 30 78 31 30 20 49 44 3A 240 TOS:0x10 ID: 30 20 0D 0A 49 70 4C 65 6E 3A 32 30 20 44 67 6D 0 ..IpLen:20 Dgm 4C 65 6E 3A 35 38 31 0D 0A 2A 2A 2A 41 50 2A 2A Len:581..***AP** 2A 20 53 65 71 3A 20 30 78 45 43 35 36 37 39 37 * Seq: 0xEC56797 44 20 20 41 63 6B 3A 20 30 78 34 34 41 42 33 34 D Ack: 0x44AB34 42 20 20 57 69 6E 3A 20 30 78 34 30 45 38 20 20 B Win: 0x40E8 54 63 70 4C 65 6E 3A 20 32 30 0D 0A 34 37 20 34 TcpLen: 20..47 4 35 20 35 34 20 32 30 20 32 46 20 37 33 20 36 33 5 54 20 2F 73 63 20 37 32 20 36 39 20 37 30 20 37 34 20 37 33 20 72 69 70 74 73 32 46 20 32 45 20 32 45 20 35 43 20 20 47 45 54 2F 2E 2E 5C GET 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C 0D 0A 32 /scripts/..\..2 45 20 32 45 20 32 46 20 37 37 20 36 39 20 36 45 E 2E 2F 77 69 6E 20 36 45 20 37 34 20 32 46 20 37 33 20 37 39 20 6E 74 2F 73 79 37 33 20 37 34 20 36 35 20 36 44 20 33 33 20 20 73 74 65 6D 33 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3 0D 0A 33 32 20 32 46 20 36 33 20 36 44 20 36 34 ..32 2F 63 6D 64 20 32 45 20 36 35 20 37 38 20 36 35 20 33 46 20 2E 65 78 65 3F 32 46 20 36 33 20 32 42 20 36 34 20 36 39 20 37 2F 63 2B 64 69 7 32 20 20 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 2 2/cmd.exe?/c+ 64 69 72 0D 0A 32 30 20 37 32 20 32 30 20 37 32 dir..20 72 20 72 20 32 30 20 34 38 20 35 34 20 35 34 20 35 30 20 20 48 54 54 50 [snip] In this case it would appear that the packet has been decoded twice so the the packet contents are now the ascii packet capture. Another example: [**] WEB-IIS .... access [**] 11/28-13:31:23.680387 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x253 203.96.93.89:1365 -> 130.216.191.67:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:581 ***AP*** Seq: 0xEC56797D Ack: 0x44AB34B Win: 0x40E8 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C GET /scripts/..\ 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2/cmd.exe?/c+dir 20 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 r r HTTP/1.0..H 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 ost: www..Connne 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A ction: close.... 33 0D 0A 0D 0A 32 30 0D 0A 20 20 20 20 20 20 20 3....20.. 20 20 20 20 20 43 6C 6F 75 64 45 69 67 68 74 20 CloudEight 43 44 73 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 CDs=20.. 20 20 20 20 4D 61 69 6C 20 4C 69 73 74 3D 32 30 Mail List=20 0D 0A 20 20 20 20 20 20 20 20 20 20 20 20 48 65 .. He 6C 70 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 20 lp=20.. 20 20 20 46 41 51 3D 32 30 0D 0A 20 20 20 20 20 FAQ=20.. 20 20 20 20 20 20 20 43 68 72 69 73 74 6D 61 73 Christmas 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 20 20 20 =20.. 20 56 61 6C 65 6E 74 69 6E 65 27 73 20 44 61 79 Valentine's Day 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 20 20 20 =20.. 20 45 61 73 74 65 72 3D 32 30 0D 0A 20 20 20 20 Easter=20.. 20 20 20 20 20 20 20 20 48 61 6C 6C 6F 77 65 65 Hallowee 6E 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 20 20 n=20.. 20 20 53 70 65 63 69 61 6C 20 4F 63 63 61 73 69 Special Occasi 6F 6E 73 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 ons=20.. 20 20 20 20 54 68 61 6E 6B 73 67 69 76 69 6E 67 Thanksgiving 0D 0A 0D 0A 0D 0A 20 20 20 20 20 20 20 20 20 20 ...... 20 20 43 68 72 69 73 74 6D 61 73 3D 32 30 0D 0A Christmas=20.. 20 20 20 20 20 20 20 20 20 20 20 20 41 63 70 72 Acpr 65 73 73 69 6F 6E 73 0D 0A 0D 0A 0D 0A 0D 0A 20 essions........ 20 20 20 20 20 20 20 20 20 20 20 46 65 61 74 75 Featu 72 65 64 20 69 6E 20 54 68 69 73 3D 32 30 0D 0A red in This=20.. 20 20 20 20 20 20 20 20 20 20 20 20 4E 65 77 73 News 6C 65 74 74 65 72 3A 3D 32 30 0D 0A 0D 0A 20 20 letter:=20.... 20 20 20 20 20 20 20 20 20 20 43 68 72 69 73 74 Christ 6D 61 73 20 44 72 65 61 6D 73 3D 32 30 0D 0A 20 mas Dreams=20.. 20 20 20 20 20 20 20 20 37 0D 0A 0D 0A 7.... In this case it looks as if the packet lenght is wrong and we have trailing garbage from some other packet. I'm running snort on a debian linux system, the command line is snort -A full -c rules.130.216.0.0 -d -D -e -h 130.216.0.0/16 -i eth1 -l /home/snort/... These are set in the config file: preprocessor frag2 preprocessor stream4: noalerts preprocessor stream4_reassemble preprocessor http_decode: 80 preprocessor rpc_decode: 111 preprocessor telnet_decode Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- problems with packet logs on 1.8.2 Russell Fulton (Nov 27)
- Re: problems with packet logs on 1.8.2 Phil Wood (Nov 28)