Snort mailing list archives
HTTP session packet capture seems borken
From: Bill McCarty <bmccarty () apu edu>
Date: Tue, 24 Feb 2004 00:07:24 -0800 (PST)
Hi all, I have a packet capture of an HTTP session that seems broken. In particular, it looks as though Snort may have confused the inbound and outbound streams, tacking one onto the other. However, I can't be certain, since Snort is my only packet capture mechanism for the network involved in the session. Here's the capture: 02/03-07:03:21.875360 62.7.227.98:3010 -> X.XX.XX.43:80 TCP TTL:114 TOS:0x0 ID:15092 IpLen:20 DgmLen:201 DF ***AP*** Seq: 0xD59B3FAD Ack: 0x28C4DBD6 Win: 0x2180 TcpLen: 20 48 45 41 44 20 2F 5F 76 74 69 5F 70 76 74 2F 2E HEAD /_vti_pvt/. 25 32 35 32 65 2F 2E 25 32 35 32 65 2F 2E 25 32 %252e/.%252e/.%2 35 32 65 2F 2E 25 32 35 32 65 2F 77 69 6E 6E 74 52e/.%252e/winnt 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 /system32/cmd.ex 65 3F 2F 63 2B 64 69 72 3F 2F 63 2B 64 69 72 2B e?/c+dir?/c+dir+ 67 3A 5C 20 48 54 54 50 2F 31 2E 30 0D 0A 48 6F g:\ HTTP/1.0..Ho 73 74 3A 20 xx 2E xx xx 2E xx xx 2E 34 33 0D 0A st: X.XX.XX.43.. 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 Content-Type: te 78 74 2F 68 74 6D 6C 0D 0A 43 6F 6E 74 65 6E 74 xt/html..Content 2D 4C 65 6E 67 74 68 3A 20 33 34 32 36 0D 0A 0D -Length: 3426... 0A . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/03-07:03:21.927212 62.7.227.98:3010 ->X.XX.XX.43:80 TCP TTL:114 TOS:0x0 ID:15348 IpLen:20 DgmLen:576 DF ***A**** Seq: 0xD59B404E Ack: 0x28C4DBD6 Win: 0x2180 TcpLen: 20 3C 21 44 4F 43 54 59 50 45 20 48 54 4D 4C 20 50 <!DOCTYPE HTML P 55 42 4C 49 43 20 22 2D 2F 2F 57 33 43 2F 2F 44 UBLIC "-//W3C//D 54 44 20 48 54 4D 4C 20 33 2E 32 20 46 69 6E 61 TD HTML 3.2 Fina 6C 2F 2F 45 4E 22 3E 0D 0A 3C 68 74 6D 6C 20 64 l//EN">..<html d 69 72 3D 6C 74 72 3E 0D 0A 0D 0A 3C 68 65 61 64 ir=ltr>....<head 3E 0D 0A 3C 73 74 79 6C 65 3E 0D 0A 61 3A 6C 69 >..<style>..a:li 6E 6B 09 09 09 7B 66 6F 6E 74 3A 38 70 74 2F 31 nk...{font:8pt/1 31 70 74 20 76 65 72 64 61 6E 61 3B 20 63 6F 6C 1pt verdana; col 6F 72 3A 46 46 30 30 30 30 7D 0D 0A 61 3A 76 69 or:FF0000}..a:vi 73 69 74 65 64 09 09 7B 66 6F 6E 74 3A 38 70 74 sited..{font:8pt 2F 31 31 70 74 20 76 65 72 64 61 6E 61 3B 20 63 /11pt verdana; c 6F 6C 6F 72 3A 23 34 65 34 65 34 65 7D 0D 0A 3C olor:#4e4e4e}..< 2F 73 74 79 6C 65 3E 0D 0A 0D 0A 3C 4D 45 54 41 /style>....<META 20 4E 41 4D 45 3D 22 52 4F 42 4F 54 53 22 20 43 NAME="ROBOTS" C 4F 4E 54 45 4E 54 3D 22 4E 4F 49 4E 44 45 58 22 ONTENT="NOINDEX" 3E 0D 0A 0D 0A 3C 74 69 74 6C 65 3E 54 68 65 20 >....<title>The 70 61 67 65 20 63 61 6E 6E 6F 74 20 62 65 20 64 page cannot be d 69 73 70 6C 61 79 65 64 3C 2F 74 69 74 6C 65 3E isplayed</title> 0D 0A 0D 0A 3C 4D 45 54 41 20 48 54 54 50 2D 45 ....<META HTTP-E 51 55 49 56 3D 22 43 6F 6E 74 65 6E 74 2D 54 79 QUIV="Content-Ty 70 65 22 20 43 6F 6E 74 65 6E 74 3D 22 74 65 78 pe" Content="tex 74 2D 68 74 6D 6C 3B 20 63 68 61 72 73 65 74 3D t-html; charset= 57 69 6E 64 6F 77 73 2D 31 32 35 32 22 3E 0D 0A Windows-1252">.. 3C 2F 68 65 61 64 3E 0D 0A 0D 0A 3C 73 63 72 69 </head>....<scri 70 74 3E 20 0D 0A 66 75 6E 63 74 69 6F 6E 20 48 pt> ..function H 6F 6D 65 70 61 67 65 28 29 7B 0D 0A 3C 21 2D 2D omepage(){..<!-- 0D 0A 2F 2F 20 69 6E 20 72 65 61 6C 20 62 69 74 ..// in real bit 73 2C 20 75 72 6C 73 20 67 65 74 20 72 65 74 75 s, urls get retu 72 6E 65 64 20 74 6F 20 6F 75 72 20 73 63 72 69 rned to our scri 70 74 20 6C 69 6B 65 20 74 68 69 73 3A 0D 0A 2F pt like this:../ 2F 20 72 65 73 3A 2F 2F 73 68 64 6F 63 76 77 2E / res://shdocvw. 64 6C 6C 2F 68 74 74 70 5F 34 30 34 2E 68 74 6D dll/http_404.htm 23 68 74 74 70 3A 2F 2F 77 77 77 2E 44 6F 63 55 #http://www.DocU 52 4C 2E 63 6F 6D 2F 62 RL.com/b I haven't seen many HTTP requests that send DOCTYPE and HTML or Javascript to the server <g>. My preprocessor configuration follows: preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor telnet_decode preprocessor bo: -nobrute #preprocessor asn1_decode My Snort is "Version 2.0.6 (Build 100)," running under a customized Linux distribution. Thoughts, anyone? Thanks! --------------------------------------------------- Bill McCarty ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HTTP session packet capture seems borken Bill McCarty (Feb 24)