[Snort-devel] Stream4 woes ??

Russell Fulton r.fulton at ...1343...
Mon Mar 10 19:22:01 EST 2003


Hi All,
	I posted a note about this a week or so back by did not get any 
response so here it goes again.

Since I upgraded to 1.9.1 I have been getting alerts from various overflow
rules but the contents of the logged packets don't seem to make any sense,
they seem to contain random bits from other protocols (mainly http, surprise) 

I am wondering if there is a new bug in stream4?


[**] POP3 PASS overflow attempt [**]
03/11-02:04:07.238325 219.88.49.235:3265 -> 130.216.128.31:110
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:65
***AP*** Seq: 0xCC5E889C  Ack: 0x3F0A0198  Win: 0x7FD4  TcpLen: 20
0x0000: 00 E0 1E 8E 31 71 00 00 0C 46 5C D1 08 00 45 10  ....1q...F\...E.
0x0010: 00 41 00 00 00 00 F0 06 00 00 DB 58 31 EB 82 D8  .A.........X1...
0x0020: 80 1F 0C C1 00 6E CC 5E 88 9C 3F 0A 01 98 50 18  .....n.^..?...P.
0x0030: 7F D4 00 00 00 00 48 54 54 50 2F 31 2E 31 20 32  ......HTTP/1.1 2
0x0040: 30 30 20 4F 4B 0D 0A 53 50 41 53 53 20 74 72     00 OK..SPASS tr

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] FTP CWD overflow attempt [**]
03/11-02:03:50.770197 203.167.168.37:3792 -> 130.216.96.200:21
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:168
***AP*** Seq: 0xD219E502  Ack: 0x3860C4BB  Win: 0xFA37  TcpLen: 20
0x0000: 00 E0 1E 8E 31 71 00 00 0C 46 5C D1 08 00 45 10  ....1q...F\...E.
0x0010: 00 A8 00 00 00 00 F0 06 00 00 CB A7 A8 25 82 D8  .............%..
0x0020: 60 C8 0E D0 00 15 D2 19 E5 02 38 60 C4 BB 50 18  `.........8`..P.
0x0030: FA 37 00 00 00 00 47 45 54 20 2F 63 6F 6E 66 69  .7....GET /confi
0x0040: 67 2F 6C 6F 67 69 6E 50 41 53 53 20 79 6F 75 76  g/loginPASS youv
0x0050: 69 6E 67 36 0D 0A 6F 70 74 73 20 75 74 66 38 20  ing6..opts utf8 
0x0060: 6F 6E 0D 0A 73 79 73 74 0D 0A 73 69 74 65 20 68  on..syst..site h
0x0070: 65 6C 70 0D 0A 50 57 44 0D 0A 54 59 50 45 20 41  elp..PWD..TYPE A
0x0080: 0D 0A 50 4F 52 54 20 32 30 33 2C 31 36 37 2C 31  ..PORT 203,167,1
0x0090: 36 38 2C 33 37 2C 31 39 2C 31 33 37 0D 0A 4C 49  68,37,19,137..LI
0x00A0: 53 54 0D 0A 30 26 2E 76 3D 30 43 57 44 20 2F 73  ST..0&.v=0CWD /s
0x00B0: 63 6F 73 30 30 35                                cos005

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin





More information about the Snort-devel mailing list