[Snort-users] SnortSnarf version 041501.1

Burleson, Lee (IA) Lee.Burleson at ...1358...
Mon Apr 16 18:02:01 EDT 2001

Jim -

Well, I happen to also have a copy of netcat (for Win32), and I tested it
out.  Incredibly, I was able to open the .gz file just fine.  According to
your logic, that means that there probably is a browser problem.  I can hear
the public sigh as I tell you that I've been using IE5.5, but that does not
solve the mystery of being able to use the .gz from snort.org.

I don't have a uuencode program, so if you still want the IE-downloaded .gz
file in UU format, I'll have to get one from the Net somewhere.

But here's a clue: the file size of the IE-dl'ed .gz is 542,720 bytes,
whereas the nc file is 120,629 bytes.

Thanks again.

- Lee

> -----Original Message-----
> From: James Hoagland [mailto:hoagland at ...47...]
> Sent: Monday, April 16, 2001 3:25 PM
> To: Burleson, Lee (IA)
> Cc: hoagland at ...47...
> Subject: RE: [Snort-users] SnortSnarf version 041501.1
> >Jim -
> >
> >OK, that worked fine.  I received a .uu file that WinZip was 
> able to open.
> >The extracted .gz file checked out at 120,629 bytes.  I was 
> then able to
> >open that file normally; WinZip then offered to untar the .tar file
> >automatically, as the .gz only contained that one file.  I 
> suspect that
> >PKZip at the command line would succeed as well.
> >
> >I.e, your attachment came through just fine.  I'll take it 
> and run.  What
> >could the difference(s) be between the .gz file on 
> silicondefense.com, the
> >.gz on snort.org, and the .uu via email?
> What browser did you use for your download?  Could you send me a copy 
> of what you got originally (uuencoded if possible).
> There is no difference from what I can tell between the file I used 
> to make the .uu and what the web server serves up to me.  I did this:
> % nc www.silicondefense.com 80 > SS-041501.1.tar.gz
> GET /software/snortsnarf/SnortSnarf-041501.1.tar.gz
> ^D
> Pretty primitive web access, eh?  Then I diffed this with the version 
> I packaged up and there was no difference.
> So there are a couple possilities:
> 1) The web server gives you something different.
> 2) It is changed somehow on the network
> 3) Your web client changes it
> >
> >I don't think that email-based distribution will scale very well.  ;)
> True :)
> -- Jim

More information about the Snort-users mailing list