[Snort-users] Packet weirdness

Wynn Fenwick wfenwick at ...2714...
Thu Feb 7 18:15:02 EST 2002


I am seeing something similar to this. I'll provide packet captures
tomorrow, but I can see a false positive on a whisker HEAD with large
packet size (indicating the HEAD is out of spec).

In every case the trigger is on a HEAD coming from a tool called big
brother, which is a remote tcp service keepalive script that we use to
make sure services are reachable. It HEADs any web server to see if it's
alive.  However the source is outside our network, and the destination
is not the same web server that is being requested the HEADs. They are
unrelated machines. Inside that payload, we see appended content from
among other things, MSN messenger conversations, web-mail sessions, and
other web traffic fragments. It looks like a messed up pointer because
the HTTP within the packet trace is not coherent.

Snort 1.8.3 on FreeBSD 4.3
Database logging to Postgresql 7.1.x
ACID 0.9.6b19

We will try 1.8.4 beta in the lab but no guarantees we can duplicate
this.

Wynn Fenwick, GCIA
Ottawa, Canada





More information about the Snort-users mailing list