Snort mailing list archives
Re: HTTP Protocol Analysis
From: "Ms.Sonika Malhotra" <sonikam () magnum barc ernet in>
Date: Mon, 17 May 2004 16:19:36 +0530 (IST)
Is there a tool to detect the spyware in LAN? ie perhaps I can run tool from a single host and get a list of suspicious programs running on different hosts in the LAN. Regards On Mon, 17 May 2004, Uso wrote:
Looks like spyware. I would run spybot on PCs and server and then have a 2nd look. regards Uso ----- Original Message ----- From: "Sonika Malhotra" <sonikam () magnum barc ernet in> To: "snort-users" <snort-users () lists sourceforge net> Sent: Friday, May 14, 2004 10:33 AM Subject: [Snort-users] HTTP Protocol AnalysisHello List, I faced a recurrent problem in my network that any request to www.google.com , www.rediff.com .. etc was getting redirected to www.coolsavings.com. So the http traffic dump was taken using Snort. ( logger mode of Snort) The following was found in the HTTP session dump and it can be observed that the reply packet had extra appended tags as follows ... rediff Page contents.... <HTML> <META HTTP-EQUIV=Refresh Content="0; URL=http://www.coolsavings.com"> </HTML> Now this page is cached at our proxy and so all the requests are redirected to new url. when we disable the caching at proxy the problem is taken care of, but the mechanism of doing this is still not known. I shall be grateful it anybody can explain this process. Regards Sonika ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HTTP Protocol Analysis Sonika Malhotra (May 13)
- Message not available
- Re: HTTP Protocol Analysis Sonika Malhotra (May 14)
- Message not available
- Re: HTTP Protocol Analysis Jason (May 14)
- <Possible follow-ups>
- Re: HTTP Protocol Analysis Sonika Malhotra (May 14)
- Re: HTTP Protocol Analysis Ms.Sonika Malhotra (May 17)
- Re: HTTP Protocol Analysis Keith W. McCammon (May 17)