Snort mailing list archives
Re: [http-inspect/SPNEGO]
From: Gregory D Hough <mr6re9 () execulink com>
Date: Mon, 20 Jun 2005 12:29:50 -0400
Gregory D Hough wrote:
Snortsters,I have been getting gobs of OVERSIZE REQUST-URI DIRECTORY alerts lately, since about June 03. HTTPD would answer these requests with a code 200 and serve my index page. I didn't like that so I configured Apache to respond with a 400 by use of the directive LimitRequestFieldsize 2048. Since then these requests have been morphing whereby the continuation packet size has been growing and shrinking.Am I just losing my marbles? What is this thing anyway? Do I have packets? Yes, lot's.Thanks, farmer6re9
I realize this is just a little insignificant $HOME_NET I'm watching here. And that I probaly don't have to worry about this goonine tool poking around, but I am curious to what it is. Especially when the probes have increased fourfold in the last week. They generally all look much the same except in this portion of a continuation packet:
0130 74 5a 43 41 76 59 79 42 30 5a 6e 52 77 49 43 31 tZCAvYyB0ZnRwIC1 0140 70 49 44 49 79 4d 43 34 78 4f 44 67 75 4d 54 51 pIDIyMC4xODguMTQ 0150 34 4c 6a 45 79 4e 53 42 48 52 56 51 67 64 32 4e 4LjEyNSBHRVQgd2N 0160 7a 62 6d 5a 30 65 53 35 6c 65 47 55 6d 63 33 52 zbmZ0eS5leGUmc3R 0170 68 63 6e 51 67 64 32 4e 7a 62 6d 5a 30 65 53 35 hcnQgd2NzbmZ0eS5 0180 6c 65 47 55 6d 5a 58 68 70 64 41 42 43 51 6b 4a leGUmZXhpdABCQkJ 0190 43 51 6b 4a 43 51 6b 4a 43 51 6b 4a 43 51 6b 4a CQkJCQkJCQkJCQkJDoes it have a name so I can google-it? I'd call it POKER-FACE because of all the Queen-King-Jack-Cards in its Data-Deck.
Please help, I'm getting straight flushed. Thanks, farmer6re9 ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [http-inspect/SPNEGO] Gregory D Hough (Jun 16)
- Re: [http-inspect/SPNEGO] Gregory D Hough (Jun 20)