[Snort-users] Making sense out of captured packets

Siddhartha Jain s_i_d_j at ...131...
Sun Mar 25 05:51:14 EST 2001


Hi,

I got a IDS247/dos-large-udp alert. I am running Snort with the -C option so
i capture the packet payload also. But how do i make sense out of the
payload to figure out whether its a real DOS or a false positive? Here is a
sample:-
----------------------------------------------------------------------------
---------------------------
.G..........]....d...Fn............m...<.d.Ce^...r.....S.~...?a.
].........l..../Xm{...%N...f..[X%+m\.:i}].+. d....=.NR..B.qJ.K..
..S.e...%=..3........ 0.Hs..%.H.....JAm..f.... q$.U9L)......]D|&
...]y :.X...........zs...J.>.{X.c.....[.uP......w.iH.p$\....A..3
...a...z*.&6.if....-.......K.W.}.:....k..[.GQmm.c.....V...1...u.
N.1......C...:...R...R.oM....Ic..i..A..e.3..D'$..0.....RnE..;.x.
N..Bc. at ...1546.../mS......^.....d.Z...T5y}...u... X..g^~..3.%q.:...u\T
..........p...Rqf..<. at ...843...[)$_m.[z.w.o...........D.....4V......M.+S
...jM........kh..+....Zr..j!....I....T.*K..p8...$uI.6P..../,V^.C
/*.v.+(.w.......s.6../.......s.s.......1.j.......d.......S.f.._.
...........]E..M....\..J.........n<.u....M.J."LIz....g{-...f.c.I
p..1k.[.. at ...1661...+....N.L.Au..7 .3%..K[..ww...?.........J..A[).U.
...!..sT.8p..]M...y.1m.[U....^..g..+E...e+.HII?..#.WP..;...D...J
..b...5W:.......r...*......v"...a........S.3.....?...)...NN..Y..
[.`2.=bLO..0V...G...s.|_.f...<..."io .....T.P"%..:......ts.b.g.I
.....m..xC.T{.v....R{...N.....r#....oR.1j.@~..... ........'..X..
9.>Lt.,.2..E..vA.....M.j~....._.;.........y'....Z.........f;..D.
..$.s...*.....s......o.e..R..M8....:k0..R&..wD.<.h..K.....m.u...
[..Z.....SRs./D...M`.'T....}..mp.d...4..&......L.wh.doS.`..'.w..
(..`B}AtCQ.KGx)=.......^tW..1..6.Z.Rs.`.T<.[p.....T8.';..."`*J.
.W.q^..._l. .'%5.<...S..J.....U:qg}.xpf..&=j<...J...w... .Q...\9
...j0O5F.f^..B....a....s.4...p..4...;v...J....%7h7.....).k......
W...C.....S........G...............V]i,^..}.....DG:..Yx........p
.GqZ5.......y..!<..w<...:9.g..._;4.#.`o.C*.ho.3...K.T.....m0._TB
[..0=.........R.Pa....9..m.%.'s..<....Y......O..Uj$"......{....^
..zC.....M.t.2.Pq_..`.u..."Z.a..kQ.FjV...|.5.v.p7.....7:.u.El...
.SQ....=...-=0..b"...?..g(..M..... at ...1662...@u.....q..I.
..C..'..5..2Z.Nj...zL.....rp.q......-3*C.g.......L$..>...*....cm
....b`a....N$...Yg.2.`^..V.lh.../U......6J..... at ...846...?....<^%...ORE
d....5..j.#q...)1.wu.9Q..|5E...F+r..:6...s,`X....Z...1v.......?l
....%....F at ...1663...:..`t..........".E].w..*..'.."r.q-.......u.....v)_.
c...,...V..t.......$.W...\'.....2X*.i.....P.TX...y.Mk.S2........
nc..w.C+.H0^r.S.L.....*..T..Y......Auf.=...W).....P... .;I.b .oP
P.4....-..Q./zR...]...&.e.....P........s..(<..........cH\...;s..
.L....[.&....P.?t.9%.JP.E...W.?.:.bzUh...$...Et._.. .{....x..l.h
..`.6i..x........w..\...9..h.<...;....&.uT.(M..Q... at ...568...{...)e*
.D...]..E.e..T#I....f...hL....Q......bm..F.....Z.L.K.^.k.Kd.E...
#..Gl2KX...Y...-n.g....e...:...q...c88..lkE..v.U.B.l....]s!;eaX.
r.).L...{},..........gPw..{..T.U..V...-...C.;Qy)r...Wk..........
....D.B|.k.._.w....<....S.5;.d..h[H".-&$..[...0....._....)P6....
\w9J..j.:....h3.Cd...3/.yi... at ...1664...)F..p..N.....^...a..y7 j...v.
~..W.'.+w...[%k4...!./9j........v..J..u......jb .X....Q...G ...=
.J..L.z7S^......&.9..r.;.#....V..hU..z..U.A...!.....0.As..q.....
..&...W........0..a9C..g..$...8.....L.....j.. at ...1665...@C.t.[..I....
.s.0......._.D..+.n..b.T..j..k/. at ...1666...~....$...QZ.....`.!. ..x...
3.&.u...f.Q.p..)..=..="..........8k..r..."..ll...6..(TI..|......
\.......x.....p...w.......HP.z:......7.Z..w..%.(..H.....=.......
..VXj....S+..+J.,..6..U.7FJ..1z.,.......i.A..N...P&.,.2.H(`..G.I
.i..J.w.Y.E!QH)C."..&.#G.. at ...1667...@.....t....W.....V`RA..I!
...zD4a.....aa.e.*..S.e.`'B..[..Fp...T...).W.;.._............&.G
-.......'..<...t..}..0.).Bc.V.X.....J6E.+2....j........E....*`.-
.....XO.:.........K:F.....33..}".AU.P...C.-........Y}.......?PN.
.D(.Y.;z.`..n.=.A...r...~$r..0......*....5....5Q.....R7k.7];[...
3:.......P:...N.!.)H2....NIl..K..t...0c/.. ZB.z.....(...e.W...%.
?./-xW..{.s...'...Js.x.>[.....%K&.....<.s......!..L...X.c....Q.q
....2.i...d....8n...N....J\]......nV...6..[#.+0Y..\..{.H.wu.....
g."......u.W...(..S&...V.)C...8G..8.K.....hb........D......Q.wT.
.Uq-.../s..........;......._`AQ4*kr..u......M..z.I_..?.'.nc9rb.A
....?.-.b..z.V....{.0......S.uc.^."...^%8.d.r.r...`.....La..m...
yQv..I(f.J...l.y.50...M.......R...9..).....4...J"0.9....F\....WG
..l2z......o...L..._...2...3.2.5&...j.x...'...Rz.v.#i....."....r
N....3.v.9 P.B...!.0.<.W.N%.q!..]..M......!..Y-t...I...,........
u...!r..l./.....e..Y.).I%...."z.T...^^..N6..5G...}&...;B.%..C..X
..,.......8.>oY1.. ..Y..G|...TK+*.%..;`).I.N..l.^.6+..OX.@&..^u"
 .AX.^.....XLX.3..R{..*......].P.....J..SAe....[..QP:IPt......^.
..U.JP...E.........i`Z.z..EV`.....+..WJ.u..oev$.<.D. ...8C.AN8..
..uOP...,.qD..e.l.....=
-------snip----------------------------------------------------------------

TIA,

Siddhartha



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list