Snort 1.9.0 "Payload mixup".

[Nils Ulltveit-Moe <num () proseq no>]

Hi

Have any of you experienced "payload mixup" with Snort 1.9.0? In our
case, it is the "ICMP redirect host" rule (SID 472) that seems to
display strange payload. In the three cases below, it seems that
telnet or HTTP sessions are mixed with HTTP traffic from another
session as the content of the ICMP message:

(The data is anonymised)

Example 1:
----------
@耽貼yE[NUL][STX]@[DC3]多@[NUL]q[ACK]其Y\xC3\x95\xC3\x8D\xCB\x9CY@耽貼y[NUL]P[HT]\xE2\x80\x98,[FF]-aK6\xC3\x8F8P[DLE]湛[EOT]脱\xC3\x9C[NUL][NUL]ft
 }.clsTableDataJustify{ BACKGROUND-COLOR: #eeeeee; FONT-WEIGHT: bold; TEXT-ALIGN: justify }.clsTableDataCenter{ 
BACKGROUND-COLOR: #eeeeee; FONT-WEIGHT: bold; TEXT-ALIGN: center }.clsTableTextTitle{ FONT-WEIGHT: bold; TEXT-ALIGN: 
left }.clsTableTextRight{ TEXT-ALIGN: right }.clsTableTextLeft{ TEXT-ALIGN: left }.clsTableTextJustify{ TEXT-ALIGN: 
justify }.clsTableDataColTitle{ COLOR: #333366; BACKGROUND-COLOR: #9999cc; FONT-SIZE: 11px; FONT-WEIGHT: bold; 
TEXT-ALIGN: left }.clsTableDataCol{ BACKGROUND-COL

Example 2
----------
@耽貼yE[NUL][SOH]\xE2\x80\x9C[FF][FF]@[NUL]q[ACK]他遜\xC3\x95\xC3\x8D\xCB\x9CU@耽貼y[NUL]P[HT]貼[SO]K[NAK]dK+\xC3\x93<P[CAN]湛蔵\xC3\xA0卒[NUL][NUL]HTTP/1.1
 302 Object Moved[CR][LF]Location: http://xxx.xxx.com/redirect.asp?frmSiteStyleId=101234[CR][LF]Server: 
Microsoft-IIS/5.0[CR][LF]Content-Type: text/html[CR][LF]Content-Length: 186[CR][LF][CR][LF]<head><title>Document 
Moved</title></head>[LF]<body><h1>Object Moved</h1>This document may be found <a 
HREF="http://xxx.xxx.com/redirect.asp?frmSiteStyleId=101234";>here</a></body>

Example 3
---------
 Doc A > GET /ddapp-images/blank.gif HTTP/1.1[CR][LF]
 Doc A > Accept: */*[CR][LF]
 Doc A > Referer: http://xxx.xxxxxxxxxxxx.com/[CR][LF]
 Doc A > Accept-Language: en-us[CR][LF]
 Doc A > Accept-Encoding: gzip, deflate[CR][LF]
 Doc A > User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)[CR][LF]
 Doc A > Host: xxx.xxxxxxxxxxxx.com[CR][LF]
 Doc A > Connection: Keep-Alive[CR][LF]
 Doc A > Cookie: XXXXXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXX;
Garbage> ckeCountryId=100[CR][LF][CR]lor:#4e4e4e}[CR][LF]
 Doc B > </style>[CR][LF]
 Doc B > [CR][LF]
 Doc B > <META NAME="ROBOTS" CONTENT="NOINDEX">[CR][LF]
 Doc B > [CR][LF]
 Doc B > <title>The page cannot be found</title>
 Doc B > [CR][LF]
 Doc B > [CR][LF]
 Doc B > <META HTTP-EQUIV="Content-Type" Content="text-html;
 Doc B > charset=Windows-1252">[CR][LF]
 Doc B > </head>[CR][LF]
 Doc B > [CR][LF]
 Doc B > <script>
 Doc B > [CR][LF]
 Doc B > function Homepage(){[CR][LF]
 Doc B > <!--[CR][LF]// in real bits, urlsget 

Here two documents are mixed together, with some garbage between.

Have you got any clue what this may be?



Mvh.
Nils Ulltveit-Moe


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users