[Snort-sigs] FP with BLEEDING-EDGE Proxy POST Request -- 2001674

Russell Fulton r.fulton at ...575...
Wed Apr 6 14:56:17 EDT 2005


WE are seeing many FP going to hotmail servers...

But only form our dial-up users ???

Russell

[ Home ][ Search ]

META
--------
SID     CID     TimeStamp               Signature
2       852073  2005-04-06 14:45:27     BLEEDING-EDGE Proxy POST Request
Sig ID
2001674

Sensor Hostname                         Sensor Interface
monitor-itss    bge0

IP
--------
Source Address  Dest Address    Ver     Hdr Len
130.216.8.30    207.46.110.29   4       5
TOS     length  ID      flags   offset  TTL     chksum
0       379     25002   2       0       127     53392

Resolved Source
m.penehira.slip.auckland.ac.nz

Resolved Dest
baym-gw29.msgr.hotmail.com 

TCP
--------
Source Port     Dest Port       Seq             Ack             
3033            80              290657398       3794671764
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               24      8187    58680           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X       X                               

DATA
--------
504F535420687474703A    POST http:
2F2F3230372E34362E31    //207.46.1
31302E32392F67617465    10.29/gate
7761792F676174657761    way/gatewa
792E646C6C3F41637469    y.dll?Acti
6F6E3D706F6C6C265365    on=poll&Se
7373696F6E49443D3736    ssionID=76
373538303937352E3939    7580975.99
383720485454502F312E    87 HTTP/1.
310D0A4163636570743A    1..Accept:
202A2F2A0D0A41636365     */*..Acce
70742D4C616E67756167    pt-Languag
653A20656E2D75730D0A    e: en-us..
4163636570742D456E63    Accept-Enc
6F64696E673A20677A69    oding: gzi
702C206465666C617465    p, deflate
0D0A557365722D416765    ..User-Age
6E743A204D534D534753    nt: MSMSGS
0D0A486F73743A203230    ..Host: 20
372E34362E3131302E32    7.46.110.2
390D0A50726F78792D43    9..Proxy-C
6F6E6E656374696F6E3A    onnection:
204B6565702D416C6976     Keep-Aliv
650D0A436F6E6E656374    e..Connect
696F6E3A204B6565702D    ion: Keep-
416C6976650D0A507261    Alive..Pra
676D613A206E6F2D6361    gma: no-ca
6368650D0A436F6E7465    che..Conte
6E742D547970653A2061    nt-Type: a
70706C69636174696F6E    pplication
2F782D6D736E2D6D6573    /x-msn-mes
73656E6765720D0A436F    senger..Co
6E74656E742D4C656E67    ntent-Leng
74683A20300D0A0D0A      th: 0....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050406/9cde6bf2/attachment.bin>


More information about the Snort-sigs mailing list