Snort mailing list archives
Re: HTTP Protocol Analysis
From: Sonika Malhotra <sonikam () magnum barc ernet in>
Date: Fri, 14 May 2004 17:54:14 +0530
The /etc/hosts file of the proxy-server consist of 2 entries 1. loopback-ip localhost 2. Internal-Interface-ip host-nameThere are no other entries . How would the host file entries cause the redirection. Can you please elaborate.
Thanx. Harper, Patrick wrote:
Have you checked the hosts file on the systems?Patrick S. Harper | CISSP RHCT MCSE Information Security Engineerpatrick.harper () phns com-----Original Message-----From: Sonika Malhotra [mailto:sonikam () magnum barc ernet in] Sent: Friday, May 14, 2004 12:34 AMTo: snort-users Subject: [Snort-users] HTTP Protocol Analysis Hello List, I faced a recurrent problem in my network that any request to www.google.com , www.rediff.com .. etc was getting redirected to www.coolsavings.com. So the http traffic dump was taken using Snort. ( logger mode of Snort) The following was found in the HTTP session dump and it can be observed that the reply packet had extra appended tags as follows ... rediff Page contents.... <HTML> <META HTTP-EQUIV=Refresh Content="0; URL=http://www.coolsavings.com";> </HTML> Now this page is cached at our proxy and so all the requests are redirected to new url. when we disable the caching at proxy the problem is taken care of, but the mechanism of doing this is still not known. I shall be grateful it anybody can explain this process. Regards Sonika ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Disclaimer:This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately.
------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HTTP Protocol Analysis Sonika Malhotra (May 13)
- Message not available
- Re: HTTP Protocol Analysis Sonika Malhotra (May 14)
- Message not available
- Re: HTTP Protocol Analysis Jason (May 14)
- <Possible follow-ups>
- Re: HTTP Protocol Analysis Sonika Malhotra (May 14)
- Re: HTTP Protocol Analysis Ms.Sonika Malhotra (May 17)
- Re: HTTP Protocol Analysis Keith W. McCammon (May 17)