Snort mailing list archives
"Connnection closed"? (spelled wrong!)
From: Edwin Eefting <edwin () bit nl>
Date: Thu, 10 Jan 2002 17:20:22 +0100 (CET)
Hi all For a quite a while now, i'm wondering why i always see the string "Connnection closed" spelled wrong in http requests. My first though it was some kind of mistake/coincidence, but now i see it over and over again. Somebody knows why this is, and is this really part of the http-standard?? :-) (sorry for my own bad english :) just cusious.. Edwin ------------------------------------------ On Thu, 10 Jan 2002 16:44:18 +0100 Andreas Östling <andreaso () it su se> wrote:
On Wednesday 09 January 2002 06.51, Martin Roesch wrote:Hi Russell, I made some tweaks to stream4 tonight that will hopefully clear up your problem, check out the latest code from cvs if you're interested (the SNORT_1_8 branch, not the 1.9-dev code). This is build 89. It now fills in the Ethernet headers appropriately and is a little tigher in how it puts things together, hopefully it'll clear up your problem. Let me know how it goes. -MartyHello, I experience the same problems as Russell from time to time. I was running 1.8.3 (release version), but unfortunately build 89 did not solve all problems. The ethernet headers now seem to be correct, but the payload is still messed up. Example: 01/10-15:17:13.659803 0:30:B6:34:4F:4C -> 0:60:70:E:B8:0 type:0x8 len:0x2C2 x.x.x.x:4271 -> 62.70.3.13:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:692 ***AP*** Seq: 0x69F23943 Ack: 0x3DE12400 Win: 0x7AEC TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C GET /scripts/..\ 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2/cmd.exe?/c+dir 20 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 r r HTTP/1.0..H 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 ost: www..Connne 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A ction: close.... 20 66 72 6F 6D 20 63 63 2E 75 61 62 2E 65 73 20 from cc.uab.es 62 79 20 6B 6C 69 6E 67 6F 6E 2E 75 61 62 2E 65 by klingon.uab.e 73 20 28 41 49 58 20 33 2E 32 2F 55 43 42 20 35 s (AIX 3.2/UCB 5 2E 36 34 2F 34 2E 30 33 29 0D 0A 20 20 20 20 20 .64/4.03).. 20 20 20 20 20 69 64 20 41 41 33 32 34 37 38 3B id AA32478; 20 54 68 75 2C 20 31 30 20 4A 61 6E 20 32 30 30 Thu, 10 Jan 200 32 20 31 36 3A 30 32 3A 34 38 20 2B 30 31 30 30 2 16:02:48 +0100 0D 0A 52 65 63 65 69 76 65 64 3A 20 66 72 6F 6D ..Received: from 20 43 4F 4E 56 45 52 53 49 4F 4E 2D 44 41 45 4D CONVERSION-DAEM 4F 4E 20 62 79 20 63 63 2E 75 61 62 2E 65 73 20 ON by cc.uab.es 28 50 4D 44 46 20 56 35 2E 32 2D 33 32 20 23 31 (PMDF V5.2-32 #1 37 32 31 30 29 0D 0A 20 69 64 20 3C 30 31 4B 43 7210).. id <01KC 57 53 4C 32 58 56 47 57 30 30 30 44 4F 53 40 63 WSL2XVGW000DOS@c 63 2E 75 61 62 2E 65 73 3E 20 66 6F 72 20 6E 69 c.uab.es> for ni 63 6F 6C 65 40 6B 6C 69 6E 67 6F 6E 2E 75 61 62 cole () klingon uab 2E 65 73 3B 20 54 68 75 2C 0D 0A 20 31 30 20 4A .es; Thu,.. 10 J 61 6E 20 32 30 30 32 20 31 35 3A 31 37 3A 32 36 an 2002 15:17:26 20 2B 30 31 30 30 20 28 47 4D 54 29 0D 0A 52 65 +0100 (GMT)..Re ... According to our network session logs, there was indeed a connection from x.x.x.x:4271 to 62.70.3.13:80 at that time, but I'm pretty sure it was not a request for cmd.exe. The payload after "Connection: close" may be part of the correct one. I'm running two instances of snort on two different inferfaces under OpenBSD 3.0-STABLE, with about 300 customized rules. Snort.conf currently contains the following: preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode snort -V gives: -*> Snort! <*- Version 1.8.3 (Build 89) By Martin Roesch (roesch () sourcefire com, www.snort.org) This is just a test machine so I'll try to experiment a bit. Any clever suggestions about what may be worth trying? To me it seems like its always those unicode requests that mess things up. Could there also be some problem with http_decode? A quick look tells me that my other Snort boxes did not log the above packet. One difference I can think of is that the machine logging the packet uses the 'tag' feature on outgoing cmd.exe requests (among other rules) but the other machines does not. Perhaps this has something to do with it? (btw, I strongly doubt there was an outgoing request for cmd.exe at all at that time, so the cmd.exe part of the packet above is probably from an incoming one, and those should not even be logged.) FYI, this is what it looked like with the release version of 1.8.3: 12/08-17:36:56.021411 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x250 x.x.x.x:1140 -> 207.46.28.135:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:578 ***AP*** Seq: 0x6EDF1A08 Ack: 0x176F48 Win: 0x40E8 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 63 30 25 32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79 c0%2f../winnt/sy 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/ 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A c+dir HTTP/1.0.. 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E Host: www..Connn 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D ection: close... 0A 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 .nnnection: clos 65 0D 0A 0D 0A 03 05 45 5F 00 03 05 45 5F 00 03 e......E_...E_.. 05 55 4E 44 3D 22 69 6D 61 67 65 73 2F 74 69 6C .UND="images/til 65 73 2E 67 69 66 22 20 42 47 43 4F 4C 4F 52 3D es.gif" BGCOLOR= 22 23 45 43 44 34 39 38 22 20 54 45 58 54 3D 22 "#ECD498" TEXT=" 23 36 36 30 30 30 30 22 20 4C 49 4E 4B 3D 22 23 #660000" LINK="# 36 36 30 30 30 30 22 20 41 4C 49 4E 4B 3D 22 23 660000" ALINK="# 38 38 30 30 30 30 22 20 56 4C 49 4E 4B 3D 22 23 880000" VLINK="# 36 36 30 30 30 30 22 20 4D 41 52 47 49 4E 57 49 660000" MARGINWI 44 54 48 3D 22 34 22 20 54 4F 50 4D 41 52 47 49 DTH="4" TOPMARGI 4E 3D 22 31 30 22 20 4C 45 46 54 4D 41 52 47 49 N="10" LEFTMARGI 4E 3D 22 34 22 3E 3C 41 20 4E 41 4D 45 3D 22 74 N="4"><A NAME="t 6F 70 22 3E 0D 0A 0D 0A 3C 6D 61 70 20 6E 61 6D op">....<map nam 65 3D 22 6E 65 77 2E 6C 6F 67 6F 22 3E 0D 0A 3C e="new.logo">..< 61 72 65 61 20 73 68 61 70 65 3D 22 72 65 63 74 area shape="rect 22 20 63 6F 6F 72 64 73 3D 22 38 38 2C 30 2C 31 " coords="88,0,1 35 31 2C 36 30 22 20 68 72 65 66 3D 22 68 74 74 51,60" href="htt 70 3A 2F 2F 77 77 77 2E 73 79 6C 76 69 61 2E 73 p://www.sylvia.s 65 2F 22 20 74 61 72 67 65 74 3D 22 5F 62 6C 61 e/" target="_bla 6E 6B 22 3E 0D 0A 3C 61 72 65 61 20 73 68 61 70 nk">..<area shap 65 3D 22 72 65 63 74 22 20 63 6F 6F 72 64 73 3D e="rect" coords= 22 39 36 2C 37 30 2C 31 35 36 2C 31 30 37 22 20 "96,70,156,107" 68 72 65 66 3D 22 22 3E 0D 0A 3C 61 72 65 61 20 href="">..<area 73 68 61 70 65 3D 22 64 65 66 61 75 6C 74 22 20 shape="default" 6E 6F 68 72 65 66 3E 0D 0A 3C 2F 6D 61 70 3E 0D nohref>..</map>. 0A 0D 0A 3C 6D 61 70 20 6E 61 6D 65 3D 22 6E 65 ...<map name="ne 77 2E 6D 65 6E 75 22 3E 0D 0A 3C 61 72 65 61 20 w.menu">..<area 73 68 61 70 65 3D 22 72 0D 0A shape="r.. (did build 89 solve your problems, Russell?) /Andreas _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- __________________ /\ ___/ Edwin Eefting /- \ _/ Business Internet Trends BV /--- \/ __________________ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Garbage in snort logs, (continued)
- Re: Garbage in snort logs Phil Wood (Jan 07)
- Re: Garbage in snort logs Jim Forster (Jan 07)
- preprocessor Ganu Skop (Jan 07)
- Re: preprocessor Martin Roesch (Jan 08)
- Re: Garbage in snort logs russell (Jan 07)
- Re: Garbage in snort logs Phil Wood (Jan 08)
- Re: Garbage in snort logs russell (Jan 08)
- Re: Garbage in snort logs Martin Roesch (Jan 08)
- Re: Garbage in snort logs Martin Roesch (Jan 08)
- Re: Garbage in snort logs Andreas Östling (Jan 10)
- "Connnection closed"? (spelled wrong!) Edwin Eefting (Jan 10)
- Re: "Connnection closed"? (spelled wrong!) John Sage (Jan 13)
- Re: Garbage in snort logs Phil Wood (Jan 07)
- Re: Garbage in snort logs Phil Wood (Jan 09)
- Getting an error using -r Ken Pickering (Jan 09)
- Re: Getting an error using -r Ken Pickering (Jan 09)
- CVS version not finding pcap includes Bob Van Cleef (Jan 09)
- Re: Garbage in snort logs Frank (Jan 10)
- Re: Re: Garbage in snort logs Martin Roesch (Jan 10)
- Re: Re: Garbage in snort logs Martin Roesch (Jan 10)