Snort mailing list archives
HELP! Is snort combining packets??
From: "Sheahan, Paul" <Paul.Sheahan () priceline com>
Date: Fri, 14 Nov 2003 15:39:34 -0500
I'm using Red Hat Linux 7.0 and Snort 1.9.0. Yes I know I need to upgrade but I want to know if anyone has seen this before anyway: IP addresses in the sample packet below are masked though this was a packet from a system on the Internet to a public web server. Notice the packet has multiple "GET /" statements, and has multiple User-Agent Headers, and multiple SITESERVER headers etc. It looks like a bunch of packets mangled together. Because of this, it appears a source address on the Internet is sending information they normally wouldn't send or have knowledge of. We see this kind of "mangling" happen randomly and it causes Snort to set off alerts when there probably shouldn't be. Has anyone else ever seen this before? Maybe something wrong with packet reassembly? Please help. Thanks, Paul Sample packet from Snort capture: 11/13-01:28:15.460643 x.x.x.x:40473 -> webserver:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1262 ***AP*** Seq: 0xFC454D55 Ack: 0xCEB1D377 Win: 0x40B0 TcpLen: 20 GET /images/global/path_tabs_02.gif HTTP/1.1..Accept: */*..Refer er: http://www.server.com/travel/airlines/lang/en-us/itinerar y.asp?session_key=x0x0x1xCx1x0x1xCx0x3x1x3x6x3x8x5x5x0x9xx37&plf =comp&Refid=PLGOTO&RefClickID=A5046..Accept-Language: ko..Accept -Encoding: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; M SIE 6.0; Windows NT 5.1)..Host: www.server.com..Connection: K eep-Alive..Cookie: SITESERVER=ID=56437973b4938389893628809bbcc7b 6; Referral=ClickID1=A5046&ProductID1=1&SourceID1=PL&WebEntryTim e1=11%2F13%2F2003+1%3A34%3A39&ID1=GOTO; PSessKey=410011AC420011A C20031113063439759500498401....ebEntryTime1=11%2F13%2F2003+1%3A3 3%3A29&ID1=GOTO&ProductID1=1&SourceID1=PL; PSessKey=400011AC4100 11AC20031113063328757500490337....XXXXGET /imagesGET /images/cus tService.gif HTTP/1.1..Accept: */*..Referer: http://www.server2.com/airlines/default.asp?refid=PALOWESGET /images/hp/jamaica_ breezes.gif HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)..Accept: */*..Host: www.server.com..Cookie: SITESERVER=ID=4cc1b75091c61f1dacda993d625554 d7; PSessKey=x1x0x1xCx2x0x1xCx0x3x1x3x6x4x6x4x6x0x3x8x1..Pragma: No-Cache....ne.com..Connection: Keep-Alive..Cookie: SITESERVER= ID=06e ------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HELP! Is snort combining packets?? Sheahan, Paul (Nov 14)