Snort mailing list archives

Re: A weird packet..... perhaps a bug?

From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Mon, 3 Feb 2003 08:16:40 -0600 (CST)

I haven't seen this specifically but I have seen strange things happening
similar to this.  I have a local rule set up looking for ftp activity on
ports other than 21/20.  Our mail server occasionally triggers this rule
on port 25.  Examination of the packet shows definite ftp activity on a
machine that has an smtp server not an ftp server on port 25.
Ken

On Sun, 2 Feb 2003, Frank Knobbe wrote:

I recently caught the packet below with Snort 1.9 compiled Jan 29 from
CVS. It lists some weird content. The upper half looks like a valid HTTP
requests (I verified that that image exists and is indeed called from
the referring page). The bottom half looks like a snippet from an email,
which would explain why this packet triggered on port 25.

Has anyone seen a similar mangled packet? Is there a bug in Snort where
the packet buffer gets overwritten half-way?

Thanks,
Frank



[**] P2P GNUTella GET [**]
01/31-14:05:51.391716 x.x.x.x:3397 -> 64.75.1.245:25
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:701
***AP*** Seq: 0xD2CFAF7D  Ack: 0x9A3207E  Win: 0x60F4  TcpLen: 20
47 45 54 20 2F 69 6D 61 67 65 73 2F 67 6C 6F 62  GET /images/glob
61 6C 2F 6D 61 73 74 68 65 61 64 2F 74 61 62 5F  al/masthead/tab_
66 6C 73 2E 67 69 66 20 48 54 54 50 2F 31 2E 30  fls.gif HTTP/1.0
0D 0A 56 69 61 3A 20 31 2E 30 20 4C 4F 56 45 42  ..Via: 1.0 LOVEB
4F 41 54 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A  OAT..User-Agent:
20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F   Mozilla/4.0 (co
6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35  mpatible; MSIE 5
2E 35 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 34  .5; Windows NT 4
2E 30 29 0D 0A 48 6F 73 74 3A 20 64 69 2E 64 65  .0)..Host: di.de
6C 6C 2E 63 6F 6D 0D 0A 41 63 63 65 70 74 3A 20  ll.com..Accept:
2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20 68 74  */*..Referer: ht
74 70 3A 2F 2F 77 77 77 2E 64 65 6C 6C 2E 63 6F  tp://www.dell.co
6D 2F 75 73 2F 65 6E 2F 64 68 73 2F 74 6F 70 69  m/us/en/dhs/topi
63 73 2F 73 65 67 74 6F 70 69 63 5F 72 65 62 61  cs/segtopic_reba
74 65 73 2E 68 74 6D 0D 0A 41 63 63 65 70 74 2D  tes.htm..Accept-
4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 20 20 20  Language: en-


Up til here is appears to be the top of a web request for a
web page image. The image name is valid and is indeed linked
from the referrer. But what follows appears to be an email
fragment. Note the destination port on top being 25.

20 77 6F 75 6C 64 20 xx xx xx xx xx 20 68 61 76   would xxxxx hav
65 20 74 6F 20 70 75 72 63 68 61 73 65 20 4B 6E  e to purchase Kn
6F 77 6C 65 64 67 65 20 42 61 73 65 20 66 6F 72  owledge Base for
20 69 74 73 20 65 6E 74 69 72 65 20 63 6F 72 70   its entire corp
6F 72 61 74 65 20 0D 0A 20 20 20 20 6C 69 63 65  orate ..    lice
6E 73 65 3F 20 28 49 66 20 73 6F 2C 20 63 61 6E  nse? (If so, can
20 79 6F 75 20 67 69 76 65 20 6D 65 20 61 6E 20   you give me an
69 64 65 61 20 6F 66 20 74 6F 74 61 6C 20 63 6F  idea of total co
73 74 20 6F 72 20 63 6F 73 74 20 74 6F 20 xx xx  st or cost to xx
xx xx xx xx xx xx xx 20 0D 0A 20 20 20 20 61 6E  xxxxxxx ..    an
64 20 6C 69 6B 65 6C 69 68 6F 6F 64 20 6F 66 20  d likelihood of
74 68 65 20 63 6F 6D 70 61 6E 79 20 64 6F 69 6E  the company doin
67 20 74 68 61 74 3F 29 3C 2F 46 4F 4E 54 3E 3C  g that?)</FONT><
2F 50 3E 0D 0A 20 20 20 20 3C 50 3E 3C 46 4F 4E  /P>..    <P><FON
54 20 73 69 7A 65 3D 32 3E 54 68 69 72 64 2C 20  T size=2>Third,
69 66 20 77 65 20 61 72 65 20 6F 70 65 72 61 74  if we are operat
69 6E 67 20 xx xx xx xx xx xx 20 6F 75 74 20 6F  ing xxxxxx out o
66 20 74 68 65 20 44 4D 5A 2C 20 77 6F 75 6C 64  f the DMZ, would
20 77 65 20 0D 0A 20 20 20 20 64 65 66 69 6E 69   we ..    defini
74 65 6C 79 20 62 65 20 61 62 6C 65 20 74 6F 20  tely be able to
73 68 61 72 65 20 61 70 70 6C 69 63 61 74 69 6F  share applicatio
6E 73 20 28 77 65 20 77 61 6E 74 20 74 6F 20 73  ns (we want to s
68 61 72 65 20 74 68 65 69 72 73 2C 20 6E 6F 74  hare theirs, not
20 68 61 76 65 20 0D 0A 20 20 20 20 74 68 65 6D   have ..    them
20 73 68 61 72 65 20 6F 75 72 73 20 73 6F 20 64   share ours so d
69 73 61 62 6C                                   isabl

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

A weird packet..... perhaps a bug? Frank Knobbe (Feb 02)
- Re: A weird packet..... perhaps a bug? Erek Adams (Feb 03)
- Re: [Snort-devel] A weird packet..... perhaps a bug? Chris Green (Feb 03)
- Re: A weird packet..... perhaps a bug? Kenneth G. Arnold (Feb 03)
- <Possible follow-ups>
- RE: A weird packet..... perhaps a bug? Cornelis, Dirk (BE - Diegem) (Feb 03)