Snort mailing list archives
mismatch.
From: "Ashley Thomas" <athomas () cc gatech edu>
Date: Sat, 29 Jun 2002 01:30:35 -0400
I see a small mismatch while analysing the WEB-IIS cmd.exe alert The packet log in snort has: [**] WEB-IIS cmd.exe access [**] 06/29-04:51:50.373173 144.75.187.54:2218 -> A.B.C.D:80 TCP TTL:113 TOS:0x0 ID:30233 IpLen:20 DgmLen:99 DF ***AP*** Seq: 0x47D90438 Ack: 0xB49599E3 Win: 0x4470 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 5c%5c../winnt/sy 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/ 63 2B 64 69 72 0D 0A c+dir.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ While i view the same packet through tcpdump or ethereal i see: <only the http part> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 32 35 35 63 25 32 35 35 63 2E 2E 2F 77 69 6E 6E 255c%255c../winn 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 t/system32/cmd.e 78 65 3F 2F 63 2B 64 69 72 0D 0A xe?/c+dir.. -- In the original packet it was 255c%255c% but when snort logs it logs only 5c%5c% Is this because of some decoding that happens like http or unicode ? thanks ashley ------------------------------------------------------------------------ What I do today is important because I am paying a day of my life for it. ------------------------------------------------------------------------ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- mismatch. Ashley Thomas (Jun 28)
- Re: mismatch. Ryan Russell (Jun 29)