Snort mailing list archives
Cookie jacking 19177 question
From: "Lay, James" <james.lay () wincofoods com>
Date: Fri, 29 Jul 2011 11:31:06 -0600
Topic says it...this doesn't seem to be a real cookiejacking attempt no? James #(2 - 1172) [2011-07-29 11:18:24] [url/www.swisscyberstorm.com/speakers/valotta-slides] [local rules dir: sid:19177;][snort/1-19177] WEB-MISC cookiejacking attempt IPv4: 208.80.152.3 -> 70.103.190.98 hlen=5 TOS=0 dlen=800 ID=46492 flags=0 offset=0 TTL=50 chksum=8990 TCP: port=80 -> dport: 25166 flags=***AP*** seq=2147483647 ack=167117666 off=5 res=0 win=9648 urp=0 chksum=428 Payload: length = 760 000 : 54 B2 0B 12 12 0A 0E E4 AA 0C 06 2D 4F F5 9F FF T..........-O... 010 : 68 62 15 1D 0D 81 81 DA EE E0 C4 89 D0 BB B7 56 hb.............V 020 : 2C 9A BD DA 5D 10 8A 1A 83 5D DD 2D 2E 08 B7 90 ,...]....].-.... 030 : 99 09 97 2E 69 67 03 D7 AF D7 AE E8 7A E1 05 ED ....ig......z... 040 : 32 D4 0A 15 B4 30 51 10 C4 61 09 0E 81 AB AB E6 2....0Q..a...... 050 : A2 4C 26 2D E1 6E B1 40 A9 52 E0 E1 21 E1 A0 20 .L&-.n.@.R..!.. 060 : 82 25 38 30 A5 4A DD 4C C0 0B 82 84 84 82 43 A3 .%80.J.L......C. 070 : 46 89 E4 AB 04 71 58 82 E3 AF 6C 22 54 82 03 20 F....qX...l"T.. 080 : 65 0D 82 20 88 60 09 82 20 88 60 09 82 20 82 25 e.. .`.. .`.. .% 090 : 08 82 20 82 25 08 82 50 48 FC 7F B4 EE E7 B1 A1 .. .%..PH...... 0a0 : 90 26 E7 00 00 00 5A 74 45 58 74 63 6F 6D 6D 65 .&....ZtEXtcomme 0b0 : 6E 74 00 46 69 6C 65 20 73 6F 75 72 63 65 3A 20 nt.File source: 0c0 : 68 74 74 70 3A 2F 2F 63 6F 6D 6D 6F 6E 73 2E 77 http://commons.w 0d0 : 69 6B 69 6D 65 64 69 61 2E 6F 72 67 2F 77 69 6B ikimedia.org/wik 0e0 : 69 2F 46 69 6C 65 3A 47 65 6F 6D 65 74 72 69 63 i/File:Geometric 0f0 : 44 69 73 74 61 6E 63 65 54 6F 48 6F 72 69 7A 6F DistanceToHorizo 100 : 6E 2E 70 6E 67 D6 66 64 F4 00 00 00 25 74 45 58 n.png.fd....%tEX 110 : 74 64 61 74 65 3A 63 72 65 61 74 65 00 32 30 31 tdate:create.201 120 : 31 2D 30 34 2D 31 39 54 30 39 3A 32 30 3A 30 35 1-04-19T09:20:05 130 : 2B 30 30 3A 30 30 53 25 6F FE 00 00 00 25 74 45 +00:00S%o....%tE 140 : 58 74 64 61 74 65 3A 6D 6F 64 69 66 79 00 32 30 Xtdate:modify.20 150 : 31 31 2D 30 34 2D 31 39 54 30 39 3A 32 30 3A 30 11-04-19T09:20:0 160 : 35 2B 30 30 3A 30 30 22 78 D7 42 00 00 00 45 74 5+00:00"x.B...Et 170 : 45 58 74 73 6F 66 74 77 61 72 65 00 49 6D 61 67 EXtsoftware.Imag 180 : 65 4D 61 67 69 63 6B 20 36 2E 36 2E 32 2D 36 20 eMagick 6.6.2-6 190 : 32 30 31 30 2D 31 30 2D 32 33 20 51 38 20 68 74 2010-10-23 Q8 ht 1a0 : 74 70 3A 2F 2F 77 77 77 2E 69 6D 61 67 65 6D 61 tp://www.imagema 1b0 : 67 69 63 6B 2E 6F 72 67 07 E4 10 CF 00 00 00 18 gick.org........ 1c0 : 74 45 58 74 54 68 75 6D 62 3A 3A 44 6F 63 75 6D tEXtThumb::Docum 1d0 : 65 6E 74 3A 3A 50 61 67 65 73 00 31 A7 FF BB 2F ent::Pages.1.../ 1e0 : 00 00 00 18 74 45 58 74 54 68 75 6D 62 3A 3A 49 ....tEXtThumb::I 1f0 : 6D 61 67 65 3A 3A 68 65 69 67 68 74 00 35 35 38 mage::height.558 200 : 44 69 7C 4B 00 00 00 17 74 45 58 74 54 68 75 6D Di|K....tEXtThum 210 : 62 3A 3A 49 6D 61 67 65 3A 3A 57 69 64 74 68 00 b::Image::Width. 220 : 38 30 30 E3 B1 C0 E2 00 00 00 19 74 45 58 74 54 800........tEXtT 230 : 68 75 6D 62 3A 3A 4D 69 6D 65 74 79 70 65 00 69 humb::Mimetype.i 240 : 6D 61 67 65 2F 70 6E 67 3F B2 56 4E 00 00 00 17 mage/png?.VN.... 250 : 74 45 58 74 54 68 75 6D 62 3A 3A 4D 54 69 6D 65 tEXtThumb::MTime 260 : 00 31 33 30 33 32 30 34 38 30 35 C5 A3 B3 DA 00 .1303204805..... 270 : 00 00 11 74 45 58 74 54 68 75 6D 62 3A 3A 53 69 ...tEXtThumb::Si 280 : 7A 65 00 34 39 36 4B 42 E3 6A D0 B5 00 00 00 54 ze.496KB.j.....T 290 : 74 45 58 74 54 68 75 6D 62 3A 3A 55 52 49 00 66 tEXtThumb::URI.f 2a0 : 69 6C 65 3A 2F 2F 2F 6D 6E 74 2F 75 70 6C 6F 61 ile:///mnt/uploa 2b0 : 64 36 2F 77 69 6B 69 70 65 64 69 61 2F 63 6F 6D d6/wikipedia/com 2c0 : 6D 6F 6E 73 2F 32 2F 32 31 2F 47 65 6F 6D 65 74 mons/2/21/Geomet 2d0 : 72 69 63 44 69 73 74 61 6E 63 65 54 6F 48 6F 72 ricDistanceToHor 2e0 : 69 7A 6F 6E 2E 70 6E 67 87 C7 26 DF 00 00 00 00 izon.png..&..... 2f0 : 49 45 4E 44 AE 42 60 82 IEND.B`. ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Cookie jacking 19177 question Lay, James (Jul 29)
- Re: Cookie jacking 19177 question rmkml (Jul 30)