Security Incidents mailing list archives
Re: Odd string in packet...
From: Frank de Lange <secf-frank () unternet org>
Date: Fri, 25 Jan 2002 18:01:23 +0100
On Fri, Jan 25, 2002 at 08:51:54AM -0500, Grimes, Shawn (NIA/IRP) wrote:
This may be normal but who knows. I picked up the following alert today:
...
220 : 7D 7C 7C 7C 7B 7B 7B 7A 7A 7A 79 79 79 78 78 78 }|||{{{zzzyyyxxx 230 : 77 77 77 76 76 76 75 75 75 74 74 74 73 73 73 72 wwwvvvuuutttsssr 240 : 72 72 71 71 71 70 70 70 6F 6F 6F 6E 6E 6E 6D 6D rrqqqpppooonnnmm
...
Could this be a normal http/webmail packet? But it almost seems to me that someone reversed the alphabet to maybe bypass some intrusion detection systems that would pick up on it in the packet? Any ideas? Below is the full packet contents.
Looks like part of an image file to me, probably it is just (part of) a .gif or .png. I get these alerts in snort all the time. I view them in the same light as the 'x86 shellcode' alert, which pops up every now and then in an image file which contains some 'NOP opcodes'. Cheers//Frank -- WWWWW _______________________ ## o o\ / Frank de Lange \ }# \| / \ ##---# _/ <Hacker for Hire> \ #### \ +31-320-252965 / \ secf-frank () unternet org / ------------------------- [ "Omnis enim res, quae dando non deficit, dum habetur et non datur, nondum habetur, quomodo habenda est." ] ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Odd string in packet... Grimes, Shawn (NIA/IRP) (Jan 25)
- Re: Odd string in packet... Frank de Lange (Jan 25)
- Re: Odd string in packet... Nick FitzGerald (Jan 25)
- Re: Odd string in packet... Frank de Lange (Jan 25)