Snort mailing list archives

Previous By Date Next
Previous By Thread Next

HELP! Is snort combining packets??

From: "Sheahan, Paul" <Paul.Sheahan () priceline com>
Date: Fri, 14 Nov 2003 15:39:34 -0500

I'm using Red Hat Linux 7.0 and Snort 1.9.0. Yes I know I need to upgrade but I want to know if anyone has seen this 
before anyway:

IP addresses in the sample packet below are masked though this was a packet from a system on the Internet to a public 
web server. Notice the packet has multiple "GET /" statements, and has multiple User-Agent Headers, and multiple 
SITESERVER headers etc. It looks like a bunch of packets mangled together. Because of this, it appears a source address 
on the Internet is sending information they normally wouldn't send or have knowledge of. We see this kind of "mangling" 
happen randomly and it causes Snort to set off alerts when there probably shouldn't be.

Has anyone else ever seen this before? Maybe something wrong with packet reassembly? Please help.

Thanks,
Paul


Sample packet from Snort capture:

        11/13-01:28:15.460643 x.x.x.x:40473 -> webserver:80
        TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1262
        ***AP*** Seq: 0xFC454D55  Ack: 0xCEB1D377  Win: 0x40B0  TcpLen: 20
        GET /images/global/path_tabs_02.gif HTTP/1.1..Accept: */*..Refer
        er: http://www.server.com/travel/airlines/lang/en-us/itinerar
        y.asp?session_key=x0x0x1xCx1x0x1xCx0x3x1x3x6x3x8x5x5x0x9xx37&plf
        =comp&Refid=PLGOTO&RefClickID=A5046..Accept-Language: ko..Accept  
        -Encoding: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; M
        SIE 6.0; Windows NT 5.1)..Host: www.server.com..Connection: K
        eep-Alive..Cookie: SITESERVER=ID=56437973b4938389893628809bbcc7b
        6; Referral=ClickID1=A5046&ProductID1=1&SourceID1=PL&WebEntryTim
        e1=11%2F13%2F2003+1%3A34%3A39&ID1=GOTO; PSessKey=410011AC420011A
        C20031113063439759500498401....ebEntryTime1=11%2F13%2F2003+1%3A3
        3%3A29&ID1=GOTO&ProductID1=1&SourceID1=PL; PSessKey=400011AC4100
        11AC20031113063328757500490337....XXXXGET /imagesGET /images/cus
        tService.gif HTTP/1.1..Accept: */*..Referer: http://www.server2.com/airlines/default.asp?refid=PALOWESGET 
/images/hp/jamaica_
        breezes.gif HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 
        5.5; Windows NT)..Accept: */*..Host: www.server.com..Cookie: SITESERVER=ID=4cc1b75091c61f1dacda993d625554
        d7; PSessKey=x1x0x1xCx2x0x1xCx0x3x1x3x6x4x6x4x6x0x3x8x1..Pragma:
         No-Cache....ne.com..Connection: Keep-Alive..Cookie: SITESERVER=  
        ID=06e



-------------------------------------------------------
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: