Re: Odd string in packet...

[Frank de Lange <secf-frank () unternet org>]

On Fri, Jan 25, 2002 at 08:51:54AM -0500, Grimes, Shawn (NIA/IRP) wrote:
> This may be normal but who knows.  I picked up the following alert today:
...
> 220 : 7D 7C 7C 7C 7B 7B 7B 7A 7A 7A 79 79 79 78 78 78   }|||{{{zzzyyyxxx
> 230 : 77 77 77 76 76 76 75 75 75 74 74 74 73 73 73 72   wwwvvvuuutttsssr
> 240 : 72 72 71 71 71 70 70 70 6F 6F 6F 6E 6E 6E 6D 6D   rrqqqpppooonnnmm
...
> Could this be a normal http/webmail packet?  But it almost seems to me that
> someone reversed the alphabet to maybe bypass some intrusion detection
> systems that would pick up on it in the packet?  Any ideas?  Below is the
> full packet contents.

Looks like part of an image file to me, probably it is just (part of) a .gif or
.png. I get these alerts in snort all the time. I view them in the same light
as the 'x86 shellcode' alert, which pops up every now and then in an image file
which contains some 'NOP opcodes'.

Cheers//Frank
-- 
  WWWWW      _______________________
 ## o o\    /     Frank de Lange     \
 }#   \|   /                          \
  ##---# _/     <Hacker for Hire>      \
   ####   \      +31-320-252965        /
           \ secf-frank () unternet org  /
            -------------------------
 [ "Omnis enim res, quae dando non deficit, dum habetur
    et non datur, nondum habetur, quomodo habenda est."  ]

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com