[Snort-users] problems with packet logs on 1.8.2

Phil Wood cpw at ...440...
Wed Nov 28 11:21:04 EST 2001


I've seen similar packets.  However, in this case, are you sending
your alerts over the same interface as the interface you are watching
with snort?

On Wed, Nov 28, 2001 at 05:00:07PM +1300, Russell Fulton wrote:
> Hi All,
> 	I am getting some grabage in packet captures, here is an 
> example:
> 
> [**] WEB-IIS cmd.exe access [**]
> 11/28-15:18:41.518117 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x27D
> 210.55.38.206:1180 -> 130.216.191.67:80 TCP TTL:240 TOS:0x10 ID:0 
> IpLen:20 DgmLen:623
> ***AP*** Seq: 0x78406864  Ack: 0x2AA275  Win: 0x40E8  TcpLen: 20
> 65 3A 30 78 30 20 6C 65 6E 3A 30 78 32 35 33 0D  e:0x0 len:0x253.
> 0A 32 30 33 2E 39 36 2E 39 33 2E 38 39 3A 31 33  .203.96.93.89:13
> 36 35 20 2D 3E 20 31 33 30 2E 32 31 36 2E 31 39  65 -> 130.216.19
> 31 2E 36 37 3A 38 30 20 54 43 50 20 54 54 4C 3A  1.67:80 TCP TTL:
> 32 34 30 20 54 4F 53 3A 30 78 31 30 20 49 44 3A  240 TOS:0x10 ID:
> 30 20 0D 0A 49 70 4C 65 6E 3A 32 30 20 44 67 6D  0 ..IpLen:20 Dgm
> 4C 65 6E 3A 35 38 31 0D 0A 2A 2A 2A 41 50 2A 2A  Len:581..***AP**
> 2A 20 53 65 71 3A 20 30 78 45 43 35 36 37 39 37  * Seq: 0xEC56797
> 44 20 20 41 63 6B 3A 20 30 78 34 34 41 42 33 34  D  Ack: 0x44AB34
> 42 20 20 57 69 6E 3A 20 30 78 34 30 45 38 20 20  B  Win: 0x40E8  
> 54 63 70 4C 65 6E 3A 20 32 30 0D 0A 34 37 20 34  TcpLen: 20..47 4
> 35 20 35 34 20 32 30 20 32 46 20 37 33 20 36 33  5 54 20 2F 73 63
> 20 37 32 20 36 39 20 37 30 20 37 34 20 37 33 20   72 69 70 74 73 
> 32 46 20 32 45 20 32 45 20 35 43 20 20 47 45 54  2F 2E 2E 5C  GET
> 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C 0D 0A 32   /scripts/..\..2
> 45 20 32 45 20 32 46 20 37 37 20 36 39 20 36 45  E 2E 2F 77 69 6E
> 20 36 45 20 37 34 20 32 46 20 37 33 20 37 39 20   6E 74 2F 73 79 
> 37 33 20 37 34 20 36 35 20 36 44 20 33 33 20 20  73 74 65 6D 33  
> 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33  ../winnt/system3
> 0D 0A 33 32 20 32 46 20 36 33 20 36 44 20 36 34  ..32 2F 63 6D 64
> 20 32 45 20 36 35 20 37 38 20 36 35 20 33 46 20   2E 65 78 65 3F 
> 32 46 20 36 33 20 32 42 20 36 34 20 36 39 20 37  2F 63 2B 64 69 7
> 32 20 20 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B  2  2/cmd.exe?/c+
> 64 69 72 0D 0A 32 30 20 37 32 20 32 30 20 37 32  dir..20 72 20 72
> 20 32 30 20 34 38 20 35 34 20 35 34 20 35 30 20   20 48 54 54 50 
> [snip]
> 
> 
> In this case it would appear that the packet has been decoded twice so 
> the the packet contents are now the ascii packet capture.
> 
> Another example:
> [**] WEB-IIS .... access [**]
> 11/28-13:31:23.680387 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x253
> 203.96.93.89:1365 -> 130.216.191.67:80 TCP TTL:240 TOS:0x10 ID:0 
> IpLen:20 DgmLen:581
> ***AP*** Seq: 0xEC56797D  Ack: 0x44AB34B  Win: 0x40E8  TcpLen: 20
> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C  GET /scripts/..\
> 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33  ../winnt/system3
> 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72  2/cmd.exe?/c+dir
> 20 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48   r r HTTP/1.0..H
> 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65  ost: www..Connne
> 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A  ction: close....
> 33 0D 0A 0D 0A 32 30 0D 0A 20 20 20 20 20 20 20  3....20..       
> 20 20 20 20 20 43 6C 6F 75 64 45 69 67 68 74 20       CloudEight 
> 43 44 73 3D 32 30 0D 0A 20 20 20 20 20 20 20 20  CDs=20..        
> 20 20 20 20 4D 61 69 6C 20 4C 69 73 74 3D 32 30      Mail List=20
> 0D 0A 20 20 20 20 20 20 20 20 20 20 20 20 48 65  ..            He
> 6C 70 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 20  lp=20..         
> 20 20 20 46 41 51 3D 32 30 0D 0A 20 20 20 20 20     FAQ=20..     
> 20 20 20 20 20 20 20 43 68 72 69 73 74 6D 61 73         Christmas
> 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 20 20 20  =20..           
> 20 56 61 6C 65 6E 74 69 6E 65 27 73 20 44 61 79   Valentine's Day
> 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 20 20 20  =20..           
> 20 45 61 73 74 65 72 3D 32 30 0D 0A 20 20 20 20   Easter=20..    
> 20 20 20 20 20 20 20 20 48 61 6C 6C 6F 77 65 65          Hallowee
> 6E 3D 32 30 0D 0A 20 20 20 20 20 20 20 20 20 20  n=20..          
> 20 20 53 70 65 63 69 61 6C 20 4F 63 63 61 73 69    Special Occasi
> 6F 6E 73 3D 32 30 0D 0A 20 20 20 20 20 20 20 20  ons=20..        
> 20 20 20 20 54 68 61 6E 6B 73 67 69 76 69 6E 67      Thanksgiving
> 0D 0A 0D 0A 0D 0A 20 20 20 20 20 20 20 20 20 20  ......          
> 20 20 43 68 72 69 73 74 6D 61 73 3D 32 30 0D 0A    Christmas=20..
> 20 20 20 20 20 20 20 20 20 20 20 20 41 63 70 72              Acpr
> 65 73 73 69 6F 6E 73 0D 0A 0D 0A 0D 0A 0D 0A 20  essions........ 
> 20 20 20 20 20 20 20 20 20 20 20 46 65 61 74 75             Featu
> 72 65 64 20 69 6E 20 54 68 69 73 3D 32 30 0D 0A  red in This=20..
> 20 20 20 20 20 20 20 20 20 20 20 20 4E 65 77 73              News
> 6C 65 74 74 65 72 3A 3D 32 30 0D 0A 0D 0A 20 20  letter:=20....  
> 20 20 20 20 20 20 20 20 20 20 43 68 72 69 73 74            Christ
> 6D 61 73 20 44 72 65 61 6D 73 3D 32 30 0D 0A 20  mas Dreams=20.. 
> 20 20 20 20 20 20 20 20 37 0D 0A 0D 0A                   7....
> 
> In this case it looks as if the packet lenght is wrong and we have 
> trailing garbage from some other packet.
> 
> I'm running snort on a debian linux system, the command line is
> 
>  snort -A full -c rules.130.216.0.0 -d -D -e -h 130.216.0.0/16 -i eth1 
> -l /home/snort/...
> 
> These are set in the config file:
> 
> preprocessor frag2
> preprocessor stream4: noalerts
> preprocessor stream4_reassemble 
> preprocessor http_decode: 80 
> preprocessor rpc_decode: 111 
> preprocessor telnet_decode
> 
> 
> 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list