Snort mailing list archives
Re: A weird packet..... perhaps a bug?
From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Mon, 3 Feb 2003 08:16:40 -0600 (CST)
I haven't seen this specifically but I have seen strange things happening similar to this. I have a local rule set up looking for ftp activity on ports other than 21/20. Our mail server occasionally triggers this rule on port 25. Examination of the packet shows definite ftp activity on a machine that has an smtp server not an ftp server on port 25. Ken On Sun, 2 Feb 2003, Frank Knobbe wrote:
I recently caught the packet below with Snort 1.9 compiled Jan 29 from CVS. It lists some weird content. The upper half looks like a valid HTTP requests (I verified that that image exists and is indeed called from the referring page). The bottom half looks like a snippet from an email, which would explain why this packet triggered on port 25. Has anyone seen a similar mangled packet? Is there a bug in Snort where the packet buffer gets overwritten half-way? Thanks, Frank [**] P2P GNUTella GET [**] 01/31-14:05:51.391716 x.x.x.x:3397 -> 64.75.1.245:25 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:701 ***AP*** Seq: 0xD2CFAF7D Ack: 0x9A3207E Win: 0x60F4 TcpLen: 20 47 45 54 20 2F 69 6D 61 67 65 73 2F 67 6C 6F 62 GET /images/glob 61 6C 2F 6D 61 73 74 68 65 61 64 2F 74 61 62 5F al/masthead/tab_ 66 6C 73 2E 67 69 66 20 48 54 54 50 2F 31 2E 30 fls.gif HTTP/1.0 0D 0A 56 69 61 3A 20 31 2E 30 20 4C 4F 56 45 42 ..Via: 1.0 LOVEB 4F 41 54 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A OAT..User-Agent: 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F Mozilla/4.0 (co 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 mpatible; MSIE 5 2E 35 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 34 .5; Windows NT 4 2E 30 29 0D 0A 48 6F 73 74 3A 20 64 69 2E 64 65 .0)..Host: di.de 6C 6C 2E 63 6F 6D 0D 0A 41 63 63 65 70 74 3A 20 ll.com..Accept: 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 */*..Referer: ht 74 70 3A 2F 2F 77 77 77 2E 64 65 6C 6C 2E 63 6F tp://www.dell.co 6D 2F 75 73 2F 65 6E 2F 64 68 73 2F 74 6F 70 69 m/us/en/dhs/topi 63 73 2F 73 65 67 74 6F 70 69 63 5F 72 65 62 61 cs/segtopic_reba 74 65 73 2E 68 74 6D 0D 0A 41 63 63 65 70 74 2D tes.htm..Accept- 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 20 20 20 Language: en- Up til here is appears to be the top of a web request for a web page image. The image name is valid and is indeed linked from the referrer. But what follows appears to be an email fragment. Note the destination port on top being 25. 20 77 6F 75 6C 64 20 xx xx xx xx xx 20 68 61 76 would xxxxx hav 65 20 74 6F 20 70 75 72 63 68 61 73 65 20 4B 6E e to purchase Kn 6F 77 6C 65 64 67 65 20 42 61 73 65 20 66 6F 72 owledge Base for 20 69 74 73 20 65 6E 74 69 72 65 20 63 6F 72 70 its entire corp 6F 72 61 74 65 20 0D 0A 20 20 20 20 6C 69 63 65 orate .. lice 6E 73 65 3F 20 28 49 66 20 73 6F 2C 20 63 61 6E nse? (If so, can 20 79 6F 75 20 67 69 76 65 20 6D 65 20 61 6E 20 you give me an 69 64 65 61 20 6F 66 20 74 6F 74 61 6C 20 63 6F idea of total co 73 74 20 6F 72 20 63 6F 73 74 20 74 6F 20 xx xx st or cost to xx xx xx xx xx xx xx xx 20 0D 0A 20 20 20 20 61 6E xxxxxxx .. an 64 20 6C 69 6B 65 6C 69 68 6F 6F 64 20 6F 66 20 d likelihood of 74 68 65 20 63 6F 6D 70 61 6E 79 20 64 6F 69 6E the company doin 67 20 74 68 61 74 3F 29 3C 2F 46 4F 4E 54 3E 3C g that?)</FONT>< 2F 50 3E 0D 0A 20 20 20 20 3C 50 3E 3C 46 4F 4E /P>.. <P><FON 54 20 73 69 7A 65 3D 32 3E 54 68 69 72 64 2C 20 T size=2>Third, 69 66 20 77 65 20 61 72 65 20 6F 70 65 72 61 74 if we are operat 69 6E 67 20 xx xx xx xx xx xx 20 6F 75 74 20 6F ing xxxxxx out o 66 20 74 68 65 20 44 4D 5A 2C 20 77 6F 75 6C 64 f the DMZ, would 20 77 65 20 0D 0A 20 20 20 20 64 65 66 69 6E 69 we .. defini 74 65 6C 79 20 62 65 20 61 62 6C 65 20 74 6F 20 tely be able to 73 68 61 72 65 20 61 70 70 6C 69 63 61 74 69 6F share applicatio 6E 73 20 28 77 65 20 77 61 6E 74 20 74 6F 20 73 ns (we want to s 68 61 72 65 20 74 68 65 69 72 73 2C 20 6E 6F 74 hare theirs, not 20 68 61 76 65 20 0D 0A 20 20 20 20 74 68 65 6D have .. them 20 73 68 61 72 65 20 6F 75 72 73 20 73 6F 20 64 share ours so d 69 73 61 62 6C isabl =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A weird packet..... perhaps a bug? Frank Knobbe (Feb 02)
- Re: A weird packet..... perhaps a bug? Erek Adams (Feb 03)
- Re: [Snort-devel] A weird packet..... perhaps a bug? Chris Green (Feb 03)
- Re: A weird packet..... perhaps a bug? Kenneth G. Arnold (Feb 03)
- <Possible follow-ups>
- RE: A weird packet..... perhaps a bug? Cornelis, Dirk (BE - Diegem) (Feb 03)