[Snort-devel] Stream4 woes ??

Lawrence Reed Lawrence.Reed at ...1489...
Tue Mar 11 04:25:18 EST 2003


Russell,
Packet loss can probably cause this.  Are you dropping any packets?  

Russell Fulton wrote:

>Hi All,
>	I posted a note about this a week or so back by did not get any 
>response so here it goes again.
>
>Since I upgraded to 1.9.1 I have been getting alerts from various overflow
>rules but the contents of the logged packets don't seem to make any sense,
>they seem to contain random bits from other protocols (mainly http, surprise) 
>
>I am wondering if there is a new bug in stream4?
>
>
>[**] POP3 PASS overflow attempt [**]
>03/11-02:04:07.238325 219.88.49.235:3265 -> 130.216.128.31:110
>TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:65
>***AP*** Seq: 0xCC5E889C  Ack: 0x3F0A0198  Win: 0x7FD4  TcpLen: 20
>0x0000: 00 E0 1E 8E 31 71 00 00 0C 46 5C D1 08 00 45 10  ....1q...F\...E.
>0x0010: 00 41 00 00 00 00 F0 06 00 00 DB 58 31 EB 82 D8  .A.........X1...
>0x0020: 80 1F 0C C1 00 6E CC 5E 88 9C 3F 0A 01 98 50 18  .....n.^..?...P.
>0x0030: 7F D4 00 00 00 00 48 54 54 50 2F 31 2E 31 20 32  ......HTTP/1.1 2
>0x0040: 30 30 20 4F 4B 0D 0A 53 50 41 53 53 20 74 72     00 OK..SPASS tr
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>[**] FTP CWD overflow attempt [**]
>03/11-02:03:50.770197 203.167.168.37:3792 -> 130.216.96.200:21
>TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:168
>***AP*** Seq: 0xD219E502  Ack: 0x3860C4BB  Win: 0xFA37  TcpLen: 20
>0x0000: 00 E0 1E 8E 31 71 00 00 0C 46 5C D1 08 00 45 10  ....1q...F\...E.
>0x0010: 00 A8 00 00 00 00 F0 06 00 00 CB A7 A8 25 82 D8  .............%..
>0x0020: 60 C8 0E D0 00 15 D2 19 E5 02 38 60 C4 BB 50 18  `.........8`..P.
>0x0030: FA 37 00 00 00 00 47 45 54 20 2F 63 6F 6E 66 69  .7....GET /confi
>0x0040: 67 2F 6C 6F 67 69 6E 50 41 53 53 20 79 6F 75 76  g/loginPASS youv
>0x0050: 69 6E 67 36 0D 0A 6F 70 74 73 20 75 74 66 38 20  ing6..opts utf8 
>0x0060: 6F 6E 0D 0A 73 79 73 74 0D 0A 73 69 74 65 20 68  on..syst..site h
>0x0070: 65 6C 70 0D 0A 50 57 44 0D 0A 54 59 50 45 20 41  elp..PWD..TYPE A
>0x0080: 0D 0A 50 4F 52 54 20 32 30 33 2C 31 36 37 2C 31  ..PORT 203,167,1
>0x0090: 36 38 2C 33 37 2C 31 39 2C 31 33 37 0D 0A 4C 49  68,37,19,137..LI
>0x00A0: 53 54 0D 0A 30 26 2E 76 3D 30 43 57 44 20 2F 73  ST..0&.v=0CWD /s
>0x00B0: 63 6F 73 30 30 35                                cos005
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>  
>

-- 
Larry Reed  Lawrence.Reed at ...1489...
NOAA IT Security Office
PGP Public Key:  http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772







More information about the Snort-devel mailing list