[Snort-sigs] FP with BLEEDING-EDGE Proxy POST Request -- 2001674

Matt Jonkman matt at ...2436...
Wed Apr 6 16:39:27 EDT 2005


How do you have HTTP_SERVERS defined? If that's not any, or is set to 
HOME_NET then these falses won't happen.

However, it is interesting that this does hit there. This look like an 
msn messenger client staying alive, using http rather than the native 
protocol. Might be going through a proxy, etc.

Matt

Russell Fulton wrote:
> WE are seeing many FP going to hotmail servers...
> 
> But only form our dial-up users ???
> 
> Russell
> 
> [ Home ][ Search ]
> 
> META
> --------
> SID     CID     TimeStamp               Signature
> 2       852073  2005-04-06 14:45:27     BLEEDING-EDGE Proxy POST Request
> Sig ID
> 2001674
> 
> Sensor Hostname                         Sensor Interface
> monitor-itss    bge0
> 
> IP
> --------
> Source Address  Dest Address    Ver     Hdr Len
> 130.216.8.30    207.46.110.29   4       5
> TOS     length  ID      flags   offset  TTL     chksum
> 0       379     25002   2       0       127     53392
> 
> Resolved Source
> m.penehira.slip.auckland.ac.nz
> 
> Resolved Dest
> baym-gw29.msgr.hotmail.com 
> 
> TCP
> --------
> Source Port     Dest Port       Seq             Ack             
> 3033            80              290657398       3794671764
> Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
> 5       0               24      8187    58680           0
> 
> Options
> --------
> None
> 
> 
> Flags
> --------
> RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
>                         X       X                               
> 
> DATA
> --------
> 504F535420687474703A    POST http:
> 2F2F3230372E34362E31    //207.46.1
> 31302E32392F67617465    10.29/gate
> 7761792F676174657761    way/gatewa
> 792E646C6C3F41637469    y.dll?Acti
> 6F6E3D706F6C6C265365    on=poll&Se
> 7373696F6E49443D3736    ssionID=76
> 373538303937352E3939    7580975.99
> 383720485454502F312E    87 HTTP/1.
> 310D0A4163636570743A    1..Accept:
> 202A2F2A0D0A41636365     */*..Acce
> 70742D4C616E67756167    pt-Languag
> 653A20656E2D75730D0A    e: en-us..
> 4163636570742D456E63    Accept-Enc
> 6F64696E673A20677A69    oding: gzi
> 702C206465666C617465    p, deflate
> 0D0A557365722D416765    ..User-Age
> 6E743A204D534D534753    nt: MSMSGS
> 0D0A486F73743A203230    ..Host: 20
> 372E34362E3131302E32    7.46.110.2
> 390D0A50726F78792D43    9..Proxy-C
> 6F6E6E656374696F6E3A    onnection:
> 204B6565702D416C6976     Keep-Aliv
> 650D0A436F6E6E656374    e..Connect
> 696F6E3A204B6565702D    ion: Keep-
> 416C6976650D0A507261    Alive..Pra
> 676D613A206E6F2D6361    gma: no-ca
> 6368650D0A436F6E7465    che..Conte
> 6E742D547970653A2061    nt-Type: a
> 70706C69636174696F6E    pplication
> 2F782D6D736E2D6D6573    /x-msn-mes
> 73656E6765720D0A436F    senger..Co
> 6E74656E742D4C656E67    ntent-Leng
> 74683A20300D0A0D0A      th: 0....

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list