[Snort-sigs] question about sid:2570

Richard Ullrich hostmaster at ...1909...
Tue Jul 20 05:55:11 EDT 2004


Uhm - I don't see the 0A in the hex code in that line.
But I do see it here:
> 010 : 2E 68 74 6D 6C 20 48 54 54 50 2F 31 2E 31 0D 0A   .html
HTTP/1.1..
That last '.' is the 0A the search is looking for, and it's the 5th
char after the '/'.

Richard


>>> Jason <security at ...704...> 7/15/2004 9:43:52 AM >>>
because of this

HTTP/1.0  (IBM-P

Miner, Jonathan W (CSC) (US SSA) wrote:
> I'm trying to understand why I'm getting hits on this rule:
> 
> http://www.snort.org/snort-db/sid.html?sid=2570 
> 
> from the following packet. If understand the rule correctly, it is
looking for the '0A' within five bytes from the end of the 'HTTP/'
string. Right?
> 
> 000 : 47 45 54 20 2F 68 70 63 2F 55 55 56 2F 55 55 56   GET
/hpc/UUV/UUV
> 010 : 2E 68 74 6D 6C 20 48 54 54 50 2F 31 2E 31 0D 0A   .html
HTTP/1.1..
> 020 : 48 6F 73 74 3A 20 77 77 77 2E 73 61 6E 64 65 72   Host:
www.sander 
> 030 : 73 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F  
s.com..Connectio
> 040 : 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 41   n:
keep-alive..A
> 050 : 63 63 65 70 74 3A 20 69 6D 61 67 65 2F 67 69 66   ccept:
image/gif
> 060 : 2C 20 69 6D 61 67 65 2F 78 2D 78 62 69 74 6D 61   ,
image/x-xbitma
> 070 : 70 2C 20 69 6D 61 67 65 2F 6A 70 65 67 2C 20 69   p,
image/jpeg, i
> 080 : 6D 61 67 65 2F 70 6A 70 65 67 2C 20 61 70 70 6C   mage/pjpeg,
appl
> 090 : 69 63 61 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 65  
ication/vnd.ms-e
> 0a0 : 78 63 65 6C 2C 20 61 70 70 6C 69 63 61 74 69 6F   xcel,
applicatio
> 0b0 : 6E 2F 76 6E 64 2E 6D 73 2D 70 6F 77 65 72 70 6F  
n/vnd.ms-powerpo
> 0c0 : 69 6E 74 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E   int,
application
> 0d0 : 2F 78 2D 73 68 6F 63 6B 77 61 76 65 2D 66 6C 61  
/x-shockwave-fla
> 0e0 : 73 68 2C 20 2A 2F 2A 0D 0A 52 65 66 65 72 65 72   sh,
*/*..Referer
> 0f0 : 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E 63 61 63   :
http://www.cac 
> 100 : 73 2E 6C 6F 75 69 73 69 61 6E 61 2E 65 64 75 2F  
s.louisiana.edu/
> 110 : 7E 6B 69 6D 6F 6E 2F 41 55 56 2F 0D 0A 41 63 63  
~kimon/AUV/..Acc
> 120 : 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E   ept-Language:
en
> 130 : 2D 75 73 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A  
-us..User-Agent:
> 140 : 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F    Mozilla/4.0
(co
> 150 : 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35   mpatible;
MSIE 5
> 160 : 2E 35 3B 20 57 69 6E 64 6F 77 73 20 39 38 3B 20   .5; Windows
98; 
> 170 : 54 33 31 32 34 36 31 29 0D 0A 58 2D 46 6F 72 77  
T312461)..X-Forw
> 180 : 61 72 64 65 64 2D 46 6F 72 3A 20 32 30 33 2E 31   arded-For:
203.1
> 190 : 32 36 2E 35 32 2E 31 34 39 0D 0A 56 69 61 3A 20  
26.52.149..Via: 
> 1a0 : 48 54 54 50 2F 31 2E 30 20 20 28 49 42 4D 2D 50   HTTP/1.0 
(IBM-P
> 1b0 : 52 4F 58 59 2D 46 57 29 2C 20 31 2E 31 20 70 6C   ROXY-FW), 1.1
pl
> 1c0 : 75 74 6F 20 28 4E 65 74 43 61 63 68 65 20 4E 65   uto (NetCache
Ne
> 1d0 : 74 41 70 70 2F 35 2E 33 2E 31 52 32 29 0D 0A 0D  
tApp/5.3.1R2)...
> 1e0 : 0A 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_idG21&alloc_id040&op=click 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/snort-sigs 
> 



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click 
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list