Snort mailing list archives
RE: A weird packet..... perhaps a bug?
From: "Cornelis, Dirk (BE - Diegem)" <dcornelis () deloitte com>
Date: Mon, 3 Feb 2003 14:34:24 +0100
Recently it was reported that certain IP stacks don't pad packets correctly, maybe this is what happens when padding happens done with data instead of 'garbage'. Kind Regards, Cornelis, Dirk IT Security Officer -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: maandag 3 februari 2003 13:10 To: Frank Knobbe Cc: snort-users () lists sourceforge net; snort-devel () lists sourceforge net Subject: Re: [Snort-users] A weird packet..... perhaps a bug? On Mon, 2 Feb 2003, Frank Knobbe wrote:
I recently caught the packet below with Snort 1.9 compiled Jan 29 from CVS. It lists some weird content. The upper half looks like a valid HTTP requests (I verified that that image exists and is indeed called from the referring page). The bottom half looks like a snippet from an email, which would explain why this packet triggered on port 25. Has anyone seen a similar mangled packet? Is there a bug in Snort where the packet buffer gets overwritten half-way?
"E-mail disclaimer:This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient, please note that any review, dissemination, disclosure, alteration, printing, copying or transmission of this e-mail and/or any file transmitted with it, is strictly prohibited and may be unlawful. If you have received this e-mail by mistake, please immediately notify the sender and permanently delete the original as well as any copy of any e-mail and any printout thereof." ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A weird packet..... perhaps a bug? Frank Knobbe (Feb 02)
- Re: A weird packet..... perhaps a bug? Erek Adams (Feb 03)
- Re: [Snort-devel] A weird packet..... perhaps a bug? Chris Green (Feb 03)
- Re: A weird packet..... perhaps a bug? Kenneth G. Arnold (Feb 03)
- <Possible follow-ups>
- RE: A weird packet..... perhaps a bug? Cornelis, Dirk (BE - Diegem) (Feb 03)