[Snort-devel] [ snort-Bugs-507117 ] ascii dump begins after http headers

noreply at ...12... noreply at ...12...
Tue Jan 22 12:54:04 EST 2002


Bugs item #507117, was opened at 2002-01-22 11:09
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=507117&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: stephane nasdrovisky (snasdrov)
Assigned to: Nobody/Anonymous (nobody)
Summary: ascii dump begins after http headers

Initial Comment:

It seems that -sometimes- the ascii dump of offending packets begins in the middle of a packet 
and is zero-filled for the length of the packet. The packet shown below is the 62nd of an http 
session (out of 75), containing the 5th (and last) POST request. No other packet in this session 
triggered any snort rule. I can send you the snort -o output of this session if you feel the need.
The snort version installed is an old one: 1.8.1, but I haven't found a description that could match 
this issue.

Here are raw informations:

cat /var/log/snort/149.225.93.44/TCP:1084-80

[**] IDS259/web-misc_http-alibaba-overflow [**]
01/22-14:42:12.146697 149.225.93.44:1084 -> m.y.i.p:80 TCP TTL:255 TOS:0x10 ID:0 IpLen:20 
DgmLen:2479
***AP*** Seq: 0xAD05E  Ack: 0xAD7FB  Win: 0x60F4  TcpLen: 20
70 6E 72 3D 34 30 32 31 36 36 39 26 6D 61 73 74  pnr=4021669&mast
65 72 6E 61 6D 65 3D 4B 75 6E 73 6D 61 6E 6E 26  ername=Kunsmann&
64 61 79 66 6C 69 67 68 74 3D 32 26 6D 6F 6E 74  dayflight=2&mont
68 66 6C 69 67 68 74 3D 32 26 79 65 61 72 66 6C  hflight=2&yearfl
69 67 68 74 3D 32 30 30 32 26 66 6C 69 67 68 74  ight=2002&flight
6E 75 6D 62 65 72 3D 37 37 31 26 65 6D 61 69 6C  number=771&email
3D 61 69 72 73 74 72 69 6B 65 33 39 40 68 6F 74  =airstrike39 at ...1090...
6D 61 69 6C 2E 63 6F 6D 00 00 00 00 00 00 00 00  mail.com........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
(34 more zeroes lines)

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS259/web-misc_http-alibaba-overflow"; 
dsize: >1400; flags: A+; content: "POST"; classtype: system-attempt; reference: arachnids,259;)

here is a snoop dump of the same packet:
 61 14:42:12.05293 149.225.93.44 -> m.y.i.p HTTP POST /servlet/register HTTP/1.1
           0: 0800 20fc b84e 0000 0c92 0070 0800 4500    .. ..N.....p..E.
          16: 028c d70c 4000 7306 b763 95e1 5d2c 0000 .... at ...1091...],..
          32: 0000 043c 0050 000a d7fb 5d13 8d61 5018    .S.<.P....]..aP.
          48: 2233 8e8a 0000 504f 5354 202f 7365 7276    "3....POST /serv
          64: 6c65 742f 7265 6769 7374 6572 2048 5454    let/register HTT
          80: 502f 312e 310d 0a41 6363 6570 743a 2069    P/1.1..Accept: i
          96: 6d61 6765 2f67 6966 2c20 696d 6167 652f    mage/gif, image/
         112: 782d 7862 6974 6d61 702c 2069 6d61 6765    x-xbitmap, image
         128: 2f6a 7065 672c 2069 6d61 6765 2f70 6a70    /jpeg, image/pjp
         144: 6567 2c20 6170 706c 6963 6174 696f 6e2f    eg, application/
         160: 766e 642e 6d73 2d65 7863 656c 2c20 6170    vnd.ms-excel, ap
         176: 706c 6963 6174 696f 6e2f 6d73 776f 7264    plication/msword
         192: 2c20 6170 706c 6963 6174 696f 6e2f 766e    , application/vn
         208: 642e 6d73 2d70 6f77 6572 706f 696e 742c    d.ms-powerpoint,
         224: 202a 2f2a 0d0a 5765 6665 7265 723a 2057     */*..Weferer: W
         240: 4355 4650 4547 4155 5446 4a4d 5652 4553    CUFPEGAUTFJMVRES
         256: 4b50 4e4b 0d0a 4163 6365 7074 2d4c 616e    KPNK..Accept-Lan
         272: 6775 6167 653a 2065 6e2c 6465 3b71 3d30    guage: en,de;q=0
         288: 2e38 2c6a 613b 713d 302e 352c 6b6f 3b71    .8,ja;q=0.5,ko;q
         304: 3d30 2e33 0d0a 436f 6e74 656e 742d 5479    =0.3..Content-Ty
         320: 7065 3a20 6170 706c 6963 6174 696f 6e2f    pe: application/
         336: 782d 7777 772d 666f 726d 2d75 726c 656e    x-www-form-urlen
         352: 636f 6465 640d 0a41 6363 6570 742d 456e    coded..Accept-En
         368: 636f 6469 6e67 3a20 677a 6970 2c20 6465    coding: gzip, de
         384: 666c 6174 650d 0a55 7365 722d 4167 656e    flate..User-Agen
         400: 743a 204d 6f7a 696c 6c61 2f34 2e30 2028    t: Mozilla/4.0 (
         416: 636f 6d70 6174 6962 6c65 3b20 4d53 4945    compatible; MSIE
         432: 2035 2e35 3b20 5769 6e64 6f77 7320 3938     5.5; Windows 98
         448: 290d 0a48 6f73 743a 2020 2020 2020 2020    )..Host:       
         464: 2020 2020 2020 0d0a 436f 6e74 656e 742d          ..Content-
         480: 4c65 6e67 7468 3a20 3132 320d 0a43 6f6e    Length: 122..Con
         496: 6e65 6374 696f 6e3a 204b 6565 702d 416c    nection: Keep-Al
         512: 6976 650d 0a43 6163 6865 2d43 6f6e 7472    ive..Cache-Contr
         528: 6f6c 3a20 6e6f 2d63 6163 6865 0d0a 0d0a    ol: no-cache....
         544: 706e 723d 3430 3231 3636 3926 6d61 7374    pnr=4021669&mast
         560: 6572 6e61 6d65 3d30 3030 3031 3130 2664    ername=0000110&d
         576: 6179 666c 6967 6874 3d32 266d 6f6e 7468    ayflight=2&month
         592: 666c 6967 6874 3d32 2679 6561 7266 6c69    flight=2&yearfli
         608: 6768 743d 3230 3032 2666 6c69 6768 746e    ght=2002&flightn
         624: 756d 6265 723d 4c47 2b37 3731 2665 6d61    umber=LG+771&ema
         640: 696c 3d61 6972 7374 7269 6b65 3339 4068    il=airstrike39 at ...1092...
         656: 6f74 6d61 696c 2e63 6f6d                   otmail.com


----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=507117&group_id=3357




More information about the Snort-devel mailing list