Snort mailing list archives
Re: problems with packet logs on 1.8.2
From: Phil Wood <cpw () lanl gov>
Date: Wed, 28 Nov 2001 12:20:42 -0700
I've seen similar packets. However, in this case, are you sending your alerts over the same interface as the interface you are watching with snort? On Wed, Nov 28, 2001 at 05:00:07PM +1300, Russell Fulton wrote:
Hi All,
I am getting some grabage in packet captures, here is an
example:
[**] WEB-IIS cmd.exe access [**]
11/28-15:18:41.518117 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x27D
210.55.38.206:1180 -> 130.216.191.67:80 TCP TTL:240 TOS:0x10 ID:0
IpLen:20 DgmLen:623
***AP*** Seq: 0x78406864 Ack: 0x2AA275 Win: 0x40E8 TcpLen: 20
65 3A 30 78 30 20 6C 65 6E 3A 30 78 32 35 33 0D e:0x0 len:0x253.
0A 32 30 33 2E 39 36 2E 39 33 2E 38 39 3A 31 33 .203.96.93.89:13
36 35 20 2D 3E 20 31 33 30 2E 32 31 36 2E 31 39 65 -> 130.216.19
31 2E 36 37 3A 38 30 20 54 43 50 20 54 54 4C 3A 1.67:80 TCP TTL:
32 34 30 20 54 4F 53 3A 30 78 31 30 20 49 44 3A 240 TOS:0x10 ID:
30 20 0D 0A 49 70 4C 65 6E 3A 32 30 20 44 67 6D 0 ..IpLen:20 Dgm
4C 65 6E 3A 35 38 31 0D 0A 2A 2A 2A 41 50 2A 2A Len:581..***AP**
2A 20 53 65 71 3A 20 30 78 45 43 35 36 37 39 37 * Seq: 0xEC56797
44 20 20 41 63 6B 3A 20 30 78 34 34 41 42 33 34 D Ack: 0x44AB34
42 20 20 57 69 6E 3A 20 30 78 34 30 45 38 20 20 B Win: 0x40E8
54 63 70 4C 65 6E 3A 20 32 30 0D 0A 34 37 20 34 TcpLen: 20..47 4
35 20 35 34 20 32 30 20 32 46 20 37 33 20 36 33 5 54 20 2F 73 63
20 37 32 20 36 39 20 37 30 20 37 34 20 37 33 20 72 69 70 74 73
32 46 20 32 45 20 32 45 20 35 43 20 20 47 45 54 2F 2E 2E 5C GET
20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C 0D 0A 32 /scripts/..\..2
45 20 32 45 20 32 46 20 37 37 20 36 39 20 36 45 E 2E 2F 77 69 6E
20 36 45 20 37 34 20 32 46 20 37 33 20 37 39 20 6E 74 2F 73 79
37 33 20 37 34 20 36 35 20 36 44 20 33 33 20 20 73 74 65 6D 33
2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3
0D 0A 33 32 20 32 46 20 36 33 20 36 44 20 36 34 ..32 2F 63 6D 64
20 32 45 20 36 35 20 37 38 20 36 35 20 33 46 20 2E 65 78 65 3F
32 46 20 36 33 20 32 42 20 36 34 20 36 39 20 37 2F 63 2B 64 69 7
32 20 20 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 2 2/cmd.exe?/c+
64 69 72 0D 0A 32 30 20 37 32 20 32 30 20 37 32 dir..20 72 20 72
20 32 30 20 34 38 20 35 34 20 35 34 20 35 30 20 20 48 54 54 50
[snip]
In this case it would appear that the packet has been decoded twice so
the the packet contents are now the ascii packet capture.
Another example:
[**] WEB-IIS .... access [**]
11/28-13:31:23.680387 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x253
203.96.93.89:1365 -> 130.216.191.67:80 TCP TTL:240 TOS:0x10 ID:0
IpLen:20 DgmLen:581
***AP*** Seq: 0xEC56797D Ack: 0x44AB34B Win: 0x40E8 TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C GET /scripts/..\
2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3
32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2/cmd.exe?/c+dir
20 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 r r HTTP/1.0..H
6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 ost: www..Connne
63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A ction: close....
33 0D 0A 0D 0A 32 30 0D 0A 20 20 20 20 20 20 20 3....20..
20 20 20 20 20 43 6C 6F 75 64 45 69 67 68 74 20 CloudEight
43 44 73 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 CDs=20..
20 20 20 20 4D 61 69 6C 20 4C 69 73 74 3D 32 30 Mail List=20
0D 0A 20 20 20 20 20 20 20 20 20 20 20 20 48 65 .. He
6C 70 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 20 lp=20..
20 20 20 46 41 51 3D 32 30 0D 0A 20 20 20 20 20 FAQ=20..
20 20 20 20 20 20 20 43 68 72 69 73 74 6D 61 73 Christmas
3D 32 30 0D 0A 20 20 20 20 20 20 20 20 20 20 20 =20..
20 56 61 6C 65 6E 74 69 6E 65 27 73 20 44 61 79 Valentine's Day
3D 32 30 0D 0A 20 20 20 20 20 20 20 20 20 20 20 =20..
20 45 61 73 74 65 72 3D 32 30 0D 0A 20 20 20 20 Easter=20..
20 20 20 20 20 20 20 20 48 61 6C 6C 6F 77 65 65 Hallowee
6E 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 20 20 n=20..
20 20 53 70 65 63 69 61 6C 20 4F 63 63 61 73 69 Special Occasi
6F 6E 73 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 ons=20..
20 20 20 20 54 68 61 6E 6B 73 67 69 76 69 6E 67 Thanksgiving
0D 0A 0D 0A 0D 0A 20 20 20 20 20 20 20 20 20 20 ......
20 20 43 68 72 69 73 74 6D 61 73 3D 32 30 0D 0A Christmas=20..
20 20 20 20 20 20 20 20 20 20 20 20 41 63 70 72 Acpr
65 73 73 69 6F 6E 73 0D 0A 0D 0A 0D 0A 0D 0A 20 essions........
20 20 20 20 20 20 20 20 20 20 20 46 65 61 74 75 Featu
72 65 64 20 69 6E 20 54 68 69 73 3D 32 30 0D 0A red in This=20..
20 20 20 20 20 20 20 20 20 20 20 20 4E 65 77 73 News
6C 65 74 74 65 72 3A 3D 32 30 0D 0A 0D 0A 20 20 letter:=20....
20 20 20 20 20 20 20 20 20 20 43 68 72 69 73 74 Christ
6D 61 73 20 44 72 65 61 6D 73 3D 32 30 0D 0A 20 mas Dreams=20..
20 20 20 20 20 20 20 20 37 0D 0A 0D 0A 7....
In this case it looks as if the packet lenght is wrong and we have
trailing garbage from some other packet.
I'm running snort on a debian linux system, the command line is
snort -A full -c rules.130.216.0.0 -d -D -e -h 130.216.0.0/16 -i eth1
-l /home/snort/...
These are set in the config file:
preprocessor frag2
preprocessor stream4: noalerts
preprocessor stream4_reassemble
preprocessor http_decode: 80
preprocessor rpc_decode: 111
preprocessor telnet_decode
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- problems with packet logs on 1.8.2 Russell Fulton (Nov 27)
- Re: problems with packet logs on 1.8.2 Phil Wood (Nov 28)