Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [http-inspect/SPNEGO]

From: Gregory D Hough <mr6re9 () execulink com>
Date: Mon, 20 Jun 2005 12:29:50 -0400
Gregory D Hough wrote:


Snortsters,
I have been getting gobs of OVERSIZE REQUST-URI DIRECTORY alerts lately, since about June 03. HTTPD would answer these requests with a code 200 and serve my index page. I didn't like that so I configured Apache to respond with a 400 by use of the directive LimitRequestFieldsize 2048. Since then these requests have been morphing whereby the continuation packet size has been growing and shrinking.
Am I just losing my marbles? What is this thing anyway? Do I have packets? Yes, lot's. 

Thanks,
farmer6re9
I realize this is just a little insignificant $HOME_NET I'm watching here. And that I probaly don't have to worry about this goonine tool poking around, but I am curious to what it is. Especially when the probes have increased fourfold in the last week. They generally all look much the same except in this portion of a continuation packet: 

0130  74 5a 43 41 76 59 79 42 30 5a 6e 52 77 49 43 31   tZCAvYyB0ZnRwIC1
0140  70 49 44 49 79 4d 43 34 78 4f 44 67 75 4d 54 51   pIDIyMC4xODguMTQ
0150  34 4c 6a 45 79 4e 53 42 48 52 56 51 67 64 32 4e   4LjEyNSBHRVQgd2N
0160  7a 62 6d 5a 30 65 53 35 6c 65 47 55 6d 63 33 52   zbmZ0eS5leGUmc3R
0170  68 63 6e 51 67 64 32 4e 7a 62 6d 5a 30 65 53 35   hcnQgd2NzbmZ0eS5
0180  6c 65 47 55 6d 5a 58 68 70 64 41 42 43 51 6b 4a   leGUmZXhpdABCQkJ
0190  43 51 6b 4a 43 51 6b 4a 43 51 6b 4a 43 51 6b 4a   CQkJCQkJCQkJCQkJ
Does it have a name so I can google-it? I'd call it POKER-FACE because of all the Queen-King-Jack-Cards in its Data-Deck. 

Please help, I'm getting straight flushed.

Thanks,
farmer6re9


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: