Snort mailing list archives
re: Packet weirdness
From: Wynn Fenwick <wfenwick () FHLSim com>
Date: Thu, 07 Feb 2002 21:13:26 -0500
I am seeing something similar to this. I'll provide packet captures tomorrow, but I can see a false positive on a whisker HEAD with large packet size (indicating the HEAD is out of spec). In every case the trigger is on a HEAD coming from a tool called big brother, which is a remote tcp service keepalive script that we use to make sure services are reachable. It HEADs any web server to see if it's alive. However the source is outside our network, and the destination is not the same web server that is being requested the HEADs. They are unrelated machines. Inside that payload, we see appended content from among other things, MSN messenger conversations, web-mail sessions, and other web traffic fragments. It looks like a messed up pointer because the HTTP within the packet trace is not coherent. Snort 1.8.3 on FreeBSD 4.3 Database logging to Postgresql 7.1.x ACID 0.9.6b19 We will try 1.8.4 beta in the lab but no guarantees we can duplicate this. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Packet weirdness tyler (Feb 07)
- Re: Packet weirdness Chris Green (Feb 07)
- <Possible follow-ups>
- RE: Packet weirdness tyler (Feb 07)
- Re: Packet weirdness Chris Green (Feb 07)
- re: Packet weirdness Wynn Fenwick (Feb 07)
- re: Packet weirdness Wynn Fenwick (Feb 07)