Snort mailing list archives
Snort 1.9.0 "Payload mixup".
From: Nils Ulltveit-Moe <num () proseq no>
Date: Mon, 27 Jan 2003 11:22:04 +0100
Hi Have any of you experienced "payload mixup" with Snort 1.9.0? In our case, it is the "ICMP redirect host" rule (SID 472) that seems to display strange payload. In the three cases below, it seems that telnet or HTTP sessions are mixed with HTTP traffic from another session as the content of the ICMP message: (The data is anonymised) Example 1: ---------- @耽貼yE[NUL][STX]@[DC3]多@[NUL]q[ACK]其Y\xC3\x95\xC3\x8D\xCB\x9CY@耽貼y[NUL]P[HT]\xE2\x80\x98,[FF]-aK6\xC3\x8F8P[DLE]湛[EOT]脱\xC3\x9C[NUL][NUL]ft }.clsTableDataJustify{ BACKGROUND-COLOR: #eeeeee; FONT-WEIGHT: bold; TEXT-ALIGN: justify }.clsTableDataCenter{ BACKGROUND-COLOR: #eeeeee; FONT-WEIGHT: bold; TEXT-ALIGN: center }.clsTableTextTitle{ FONT-WEIGHT: bold; TEXT-ALIGN: left }.clsTableTextRight{ TEXT-ALIGN: right }.clsTableTextLeft{ TEXT-ALIGN: left }.clsTableTextJustify{ TEXT-ALIGN: justify }.clsTableDataColTitle{ COLOR: #333366; BACKGROUND-COLOR: #9999cc; FONT-SIZE: 11px; FONT-WEIGHT: bold; TEXT-ALIGN: left }.clsTableDataCol{ BACKGROUND-COL Example 2 ---------- @耽貼yE[NUL][SOH]\xE2\x80\x9C[FF][FF]@[NUL]q[ACK]他遜\xC3\x95\xC3\x8D\xCB\x9CU@耽貼y[NUL]P[HT]貼[SO]K[NAK]dK+\xC3\x93<P[CAN]湛蔵\xC3\xA0卒[NUL][NUL]HTTP/1.1 302 Object Moved[CR][LF]Location: http://xxx.xxx.com/redirect.asp?frmSiteStyleId=101234[CR][LF]Server: Microsoft-IIS/5.0[CR][LF]Content-Type: text/html[CR][LF]Content-Length: 186[CR][LF][CR][LF]<head><title>Document Moved</title></head>[LF]<body><h1>Object Moved</h1>This document may be found <a HREF="http://xxx.xxx.com/redirect.asp?frmSiteStyleId=101234">here</a></body> Example 3 --------- Doc A > GET /ddapp-images/blank.gif HTTP/1.1[CR][LF] Doc A > Accept: */*[CR][LF] Doc A > Referer: http://xxx.xxxxxxxxxxxx.com/[CR][LF] Doc A > Accept-Language: en-us[CR][LF] Doc A > Accept-Encoding: gzip, deflate[CR][LF] Doc A > User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)[CR][LF] Doc A > Host: xxx.xxxxxxxxxxxx.com[CR][LF] Doc A > Connection: Keep-Alive[CR][LF] Doc A > Cookie: XXXXXXXXXXXXXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXX; Garbage> ckeCountryId=100[CR][LF][CR]lor:#4e4e4e}[CR][LF] Doc B > </style>[CR][LF] Doc B > [CR][LF] Doc B > <META NAME="ROBOTS" CONTENT="NOINDEX">[CR][LF] Doc B > [CR][LF] Doc B > <title>The page cannot be found</title> Doc B > [CR][LF] Doc B > [CR][LF] Doc B > <META HTTP-EQUIV="Content-Type" Content="text-html; Doc B > charset=Windows-1252">[CR][LF] Doc B > </head>[CR][LF] Doc B > [CR][LF] Doc B > <script> Doc B > [CR][LF] Doc B > function Homepage(){[CR][LF] Doc B > <!--[CR][LF]// in real bits, urlsget Here two documents are mixed together, with some garbage between. Have you got any clue what this may be? Mvh. Nils Ulltveit-Moe ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 1.9.0 "Payload mixup". Nils Ulltveit-Moe (Jan 27)
- Re: Snort 1.9.0 "Payload mixup". Chris Green (Jan 27)