Snort mailing list archives
Re: SMTP HELO overflow attempt
From: Andreas Hasenack <andreas () conectiva com br>
Date: Tue, 30 Jul 2002 17:01:07 -0300
Em Mon, Jul 29, 2002 at 07:14:17PM -0700, Capps Family escreveu:
I then configured snort to log with the "X" option. When I compared the data captured for that IP with the same data in the tcpdump packet, the IP header looks completely different. Tcpdump looks perfect, the snort dump ip header data looks like it's been corrupted.
I've also seen some sort of corruption recently and I also have been scratching my head. What I see sometimes is some sort of overlapping happening with the data in the payload of HTTP packets. I also catched the most weird "scan" (snort called it a FIN scan): a tcp segment with only FIN set (no ACK flag set, but with an ACK number), directed to port 53, and with a mail-like payload, with smtp commands, such as "MAIL FROM:", "DATA" and "QUIT", and a TCP header length of zero. Didn't have a parallel tcpdump running, so I don't know if the packet was really like this or if some corruption took place. I'm using Version 1.8.7beta5 (Build 121) ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SMTP HELO overflow attempt Capps Family (Jul 30)
- Re: SMTP HELO overflow attempt Andreas Hasenack (Jul 31)
- Re: SMTP HELO overflow attempt Ian Macdonald (Jul 31)
- Re: SMTP HELO overflow attempt Andreas Hasenack (Jul 31)