Snort mailing list archives
Re: Incorrect payload on acid alerts
From: "M. Shirk" <shirkdog_linux () hotmail com>
Date: Wed, 10 Nov 2004 08:43:40 -0500
I am able to receive multiple HTTP connections as single alerts. The *bot variants that blow up alot of ports and send the webdav search overflow generate about 12 separate alerts for each full length packet to tcp port 80. I will get the apparent overflow packets in order.
(Start of packets, and these are followed by alerts with just the hex data) 53 45 41 52 43 48 20 2F 90 02 B1 02 B1 02 B1 02 SEARCH /........ B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ............... 53 45 41 52 43 48 20 2F 90 C9 C9 C9 C9 C9 C9 C9 SEARCH /........ C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 ................ C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 ................ C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 ................ Shirkdog
From: Jason Haar <Jason.Haar () trimble co nz> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Incorrect payload on acid alerts Date: Wed, 10 Nov 2004 15:09:24 +1300 Joshua Berry wrote:Several times I have seen a similar issue for HTTP sessions where multiple HTTP connections are shown for own alert. It appears that several sessions had been combined into a single snort alert and many of these sessions did not match any of the signatures.I hate to do a "me too" - but, me too.I was sitting on it until I could come up with something more substantial to help find the problem, but I've seen snort trigger a "EXPLOIT ssh CRC32 overflow NOOP" between two hosts I control, and yet the packet captured by snort was actually HTTP headers bunged onto the end of some binary data.It wasn't SSH data, it wasn't HTTP data, it was...? Packet length was 2630 - which makes me think there's still a bug in how snort aggregates packets together into flowsThis was snort-2.2.0 under Fedora Core 2 Jason
_________________________________________________________________Express yourself instantly with MSN Messenger! Download today - it's FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Incorrect payload on acid alerts snortman (Nov 09)
- Re: Incorrect payload on acid alerts Dirk Geschke (Nov 09)
- Re: Incorrect payload on acid alerts Alex Butcher, ISC/ISYS (Nov 09)
- <Possible follow-ups>
- RE: Incorrect payload on acid alerts Joshua Berry (Nov 09)
- Re: Incorrect payload on acid alerts Jason Haar (Nov 09)
- Re: Incorrect payload on acid alerts M. Shirk (Nov 10)
- Re: Incorrect payload on acid alerts Dirk Geschke (Nov 09)