Snort mailing list archives
strange behaviour of snort 2.0.3
From: lpj0508 () netscape net
Date: Wed, 05 Nov 2003 21:59:33 -0500
hi, i upgraded from 2.0.2 to 2.0.3, but from the point i started up with the new version, i noticed a strange behaviour. for example, with an alert that triggered the signature "POP3 DELE overflow attempt", the payload contains a mixture of POP3 commands and HTTP statements. this looks like some kind of parsing error to me. can someone advise? length = 413 000 : 4E 4F 4F 50 0D 0A 54 4F 50 20 31 32 31 20 30 0D NOOP..TOP 121 0. 010 : 0A 61 74 72 6F 6F 6D 3D 63 68 61 74 7A 6F 6E 65 .atroom=chatzone 020 : 22 3E 20 63 68 61 74 7A 6F 6E 65 20 3C 2F 6F 70 "> chatzone </op 030 : 74 69 6F 6E 3E 0D 0A 44 45 4C 45 20 31 30 35 33 tion>..DELE 1053 040 : 0D 0A 3C 6F 70 74 69 6F 6E 20 76 61 6C 75 65 3D ..<option value= 050 : 22 63 68 61 74 72 6F 6F 6D 3D 46 75 6E 43 68 61 "chatroom=FunCha 060 : 74 22 3E 44 45 4C 45 20 31 30 35 37 0D 0A 6F 70 t">DELE 1057..op 070 : 74 69 6F 6E 3E 0D 0A 09 09 09 09 09 09 09 09 54 tion>..........T 080 : 4F 50 20 31 33 32 20 30 0D 0A 76 61 6C 75 65 3D OP 132 0..value= 090 : 22 63 68 61 74 72 6F 6F 6D 3D 66 75 6E 66 61 63 "chatroom=funfac 0a0 : 74 6F 72 79 22 3E 20 66 75 6E 66 61 63 74 6F 72 tory"> funfactor 0b0 : 79 20 3C 2F 6F 70 74 69 6F 6E 3E 0D 0A 09 09 09 y </option>..... 0c0 : 09 09 09 09 09 09 44 45 4C 45 20 31 30 36 36 0D ......DELE 1066. 0d0 : 0A 61 6C 75 65 3D 22 63 68 61 74 72 6F 6F 6D 3D .alue="chatroom= 0e0 : 6B 6F 70 69 74 69 61 6D 22 3E 20 6B 6F 70 69 74 kopitiam"> kopit 0f0 : 69 61 6D 20 3C 2F 6F 70 74 69 6F 6E 3E 0D 0A 09 iam </option>... 100 : 09 09 09 09 09 09 09 09 09 09 3C 6F 70 74 69 6F ..........<optio 110 : 6E 20 76 61 6C 75 65 3D 22 63 68 61 74 72 6F 6F n value="chatroo 120 : 6D 3D 62 65 67 69 6E 6E 65 72 22 3E 20 62 65 67 m=beginner"> beg 130 : 69 6E 6E 65 72 20 3C 2F 6F 70 74 69 6F 6E 3E 0D inner </option>. 140 : 0A 09 09 09 09 09 09 09 09 09 09 09 3C 6F 70 74 ............<opt 150 : 69 6F 6E 20 76 61 6C 75 65 3D 22 63 68 61 74 72 ion value="chatr 160 : 6F 6F 6D 3D 73 69 6E 67 61 70 6F 72 65 22 3E 20 oom=singapore"> 170 : 73 69 6E 67 61 70 6F 72 65 20 3C 2F 6F 70 74 69 singapore </opti 180 : 6F 6E 3E 0D 0A 09 09 09 09 09 09 09 09 09 09 09 on>............. 190 : 3C 6F 70 74 69 6F 6E 44 45 4C 45 20 31 <optionDELE 1 pj __________________________________________________________________ McAfee VirusScan Online from the Netscape Network. Comprehensive protection for your entire computer. Get your free trial today! http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397 Get AOL Instant Messenger 5.1 free of charge. Download Now! http://aim.aol.com/aimnew/Aim/register.adp?promo=380455 ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- strange behaviour of snort 2.0.3 lpj0508 (Nov 06)