[Snort-users] http_decode questions

Joe Stewart jstewart at ...262...
Sun Jan 7 01:10:48 EST 2001


On Sat, 06 Jan 2001, you wrote:
>
> where nn.n.nnn.nnn is the IP of my cable modem. These are apparently
> requests for port 80 service from one of the machines on my local net
> that is running a browser; the high port number suggests that it is an
> ipnat'ed connection, yes? But, 205.188.245.116 does not resolve; a 'dig
> -x 205.188.245.116' shows 205.188.245 as having a SOA in an AOL DNS
> host. Hmmm....
>
> Next question: why is ordinary browser use spawning those alerts?
>
> Final question <g>: Why would one of my browsers be seeking service
> from that weird IP? I'm *certainly* not an AOL customer!

I think it's related to use of Netscape Communicator. I've observed that the
mailer in its default settings loads a page from the Netscape portal on 
startup. In the HTTP request there is a cookie that contains what looks like
urlencoded binary data (along with your current email name and address). If 
that data happens to contain %c0, %c1, %e0, %f0, %f8 or %fc it will trigger a 
false-positive unicode attack alert. I have no idea why AOL/Netscape needs
to urlencode binary data, but there it is.

-Joe

 




More information about the Snort-users mailing list