[Snort-users] "Connnection closed"? (spelled wrong!)

Edwin Eefting edwin at ...2758...
Thu Jan 10 08:21:12 EST 2002


Hi all

For a quite a while now, i'm wondering why i always see the string
"Connnection closed" spelled wrong in http requests. My first though it was
some kind of mistake/coincidence, but now i see it over and over again.
Somebody knows why this is, and is this really part of the http-standard?? :-)
(sorry for my own bad english :)

just cusious..
Edwin


------------------------------------------
On Thu, 10 Jan 2002 16:44:18 +0100 Andreas Östling <andreaso at ...236...> wrote:

> 
> On Wednesday 09 January 2002 06.51, Martin Roesch wrote:
> > Hi Russell,
> >      I made some tweaks to stream4 tonight that will hopefully clear up
> > your problem, check out the latest code from cvs if you're interested
> > (the SNORT_1_8 branch, not the 1.9-dev code).  This is build 89.  It now
> > fills in the Ethernet headers appropriately and is a little tigher in
> > how it puts things together, hopefully it'll clear up your problem.  Let
> > me know how it goes.
> >
> >      -Marty
> 
> Hello,
> 
> I experience the same problems as Russell from time to time.
> I was running 1.8.3 (release version), but unfortunately build 89 did not 
> solve all problems. The ethernet headers now seem to be correct, but the 
> payload is still messed up.
> 
> Example:
> 
> 01/10-15:17:13.659803 0:30:B6:34:4F:4C -> 0:60:70:E:B8:0 type:0x8 len:0x2C2
> x.x.x.x:4271 -> 62.70.3.13:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:692
> ***AP*** Seq: 0x69F23943  Ack: 0x3DE12400  Win: 0x7AEC  TcpLen: 20
> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C  GET /scripts/..\
> 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33  ../winnt/system3
> 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72  2/cmd.exe?/c+dir
> 20 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48   r r HTTP/1.0..H
> 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65  ost: www..Connne
> 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A  ction: close....
> 20 66 72 6F 6D 20 63 63 2E 75 61 62 2E 65 73 20   from cc.uab.es
> 62 79 20 6B 6C 69 6E 67 6F 6E 2E 75 61 62 2E 65  by klingon.uab.e
> 73 20 28 41 49 58 20 33 2E 32 2F 55 43 42 20 35  s (AIX 3.2/UCB 5
> 2E 36 34 2F 34 2E 30 33 29 0D 0A 20 20 20 20 20  .64/4.03)..
> 20 20 20 20 20 69 64 20 41 41 33 32 34 37 38 3B       id AA32478;
> 20 54 68 75 2C 20 31 30 20 4A 61 6E 20 32 30 30   Thu, 10 Jan 200
> 32 20 31 36 3A 30 32 3A 34 38 20 2B 30 31 30 30  2 16:02:48 +0100
> 0D 0A 52 65 63 65 69 76 65 64 3A 20 66 72 6F 6D  ..Received: from
> 20 43 4F 4E 56 45 52 53 49 4F 4E 2D 44 41 45 4D   CONVERSION-DAEM
> 4F 4E 20 62 79 20 63 63 2E 75 61 62 2E 65 73 20  ON by cc.uab.es
> 28 50 4D 44 46 20 56 35 2E 32 2D 33 32 20 23 31  (PMDF V5.2-32 #1
> 37 32 31 30 29 0D 0A 20 69 64 20 3C 30 31 4B 43  7210).. id <01KC
> 57 53 4C 32 58 56 47 57 30 30 30 44 4F 53 40 63  WSL2XVGW000DOS at ...2580...
> 63 2E 75 61 62 2E 65 73 3E 20 66 6F 72 20 6E 69  c.uab.es> for ni
> 63 6F 6C 65 40 6B 6C 69 6E 67 6F 6E 2E 75 61 62  cole at ...4522...
> 2E 65 73 3B 20 54 68 75 2C 0D 0A 20 31 30 20 4A  .es; Thu,.. 10 J
> 61 6E 20 32 30 30 32 20 31 35 3A 31 37 3A 32 36  an 2002 15:17:26
> 20 2B 30 31 30 30 20 28 47 4D 54 29 0D 0A 52 65   +0100 (GMT)..Re
> ...
> 
> According to our network session logs, there was indeed a connection from 
> x.x.x.x:4271 to 62.70.3.13:80 at that time, but I'm pretty sure it was not a 
> request for cmd.exe. The payload after "Connection: close" may be part of the 
> correct one. 
> 
> I'm running two instances of snort on two different inferfaces under OpenBSD 
> 3.0-STABLE, with about 300 customized rules.
> Snort.conf currently contains the following:
> 
> preprocessor frag2
> preprocessor stream4: detect_scans
> preprocessor stream4_reassemble
> preprocessor http_decode: 80 -unicode -cginull
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> preprocessor telnet_decode
> 
> snort -V gives:
> -*> Snort! <*-
> Version 1.8.3 (Build 89)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 
> This is just a test machine so I'll try to experiment a bit. Any clever 
> suggestions about what may be worth trying?
> To me it seems like its always those unicode requests that mess things up. 
> Could there also be some problem with http_decode?
> 
> A quick look tells me that my other Snort boxes did not log the above packet.
> One difference I can think of is that the machine logging the packet uses the 
> 'tag' feature on outgoing cmd.exe requests (among other rules) but the other 
> machines does not. Perhaps this has something to do with it? (btw, I strongly 
> doubt there was an outgoing request for cmd.exe at all at that time, so the 
> cmd.exe part of the packet above is probably from an incoming one, and those 
> should not even be logged.)
> 
> 
> FYI, this is what it looked like with the release version of 1.8.3:
> 
> 12/08-17:36:56.021411 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x250
> x.x.x.x:1140 -> 207.46.28.135:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:578
> ***AP*** Seq: 0x6EDF1A08  Ack: 0x176F48  Win: 0x40E8  TcpLen: 20
> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
> 63 30 25 32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79  c0%2f../winnt/sy
> 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F  stem32/cmd.exe?/
> 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A  c+dir HTTP/1.0..
> 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E  Host: www..Connn
> 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D  ection: close...
> 0A 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73  .nnnection: clos
> 65 0D 0A 0D 0A 03 05 45 5F 00 03 05 45 5F 00 03  e......E_...E_..
> 05 55 4E 44 3D 22 69 6D 61 67 65 73 2F 74 69 6C  .UND="images/til
> 65 73 2E 67 69 66 22 20 42 47 43 4F 4C 4F 52 3D  es.gif" BGCOLOR=
> 22 23 45 43 44 34 39 38 22 20 54 45 58 54 3D 22  "#ECD498" TEXT="
> 23 36 36 30 30 30 30 22 20 4C 49 4E 4B 3D 22 23  #660000" LINK="#
> 36 36 30 30 30 30 22 20 41 4C 49 4E 4B 3D 22 23  660000" ALINK="#
> 38 38 30 30 30 30 22 20 56 4C 49 4E 4B 3D 22 23  880000" VLINK="#
> 36 36 30 30 30 30 22 20 4D 41 52 47 49 4E 57 49  660000" MARGINWI
> 44 54 48 3D 22 34 22 20 54 4F 50 4D 41 52 47 49  DTH="4" TOPMARGI
> 4E 3D 22 31 30 22 20 4C 45 46 54 4D 41 52 47 49  N="10" LEFTMARGI
> 4E 3D 22 34 22 3E 3C 41 20 4E 41 4D 45 3D 22 74  N="4"><A NAME="t
> 6F 70 22 3E 0D 0A 0D 0A 3C 6D 61 70 20 6E 61 6D  op">....<map nam
> 65 3D 22 6E 65 77 2E 6C 6F 67 6F 22 3E 0D 0A 3C  e="new.logo">..<
> 61 72 65 61 20 73 68 61 70 65 3D 22 72 65 63 74  area shape="rect
> 22 20 63 6F 6F 72 64 73 3D 22 38 38 2C 30 2C 31  " coords="88,0,1
> 35 31 2C 36 30 22 20 68 72 65 66 3D 22 68 74 74  51,60" href="htt
> 70 3A 2F 2F 77 77 77 2E 73 79 6C 76 69 61 2E 73  p://www.sylvia.s
> 65 2F 22 20 74 61 72 67 65 74 3D 22 5F 62 6C 61  e/" target="_bla
> 6E 6B 22 3E 0D 0A 3C 61 72 65 61 20 73 68 61 70  nk">..<area shap
> 65 3D 22 72 65 63 74 22 20 63 6F 6F 72 64 73 3D  e="rect" coords=
> 22 39 36 2C 37 30 2C 31 35 36 2C 31 30 37 22 20  "96,70,156,107"
> 68 72 65 66 3D 22 22 3E 0D 0A 3C 61 72 65 61 20  href="">..<area
> 73 68 61 70 65 3D 22 64 65 66 61 75 6C 74 22 20  shape="default"
> 6E 6F 68 72 65 66 3E 0D 0A 3C 2F 6D 61 70 3E 0D  nohref>..</map>.
> 0A 0D 0A 3C 6D 61 70 20 6E 61 6D 65 3D 22 6E 65  ...<map name="ne
> 77 2E 6D 65 6E 75 22 3E 0D 0A 3C 61 72 65 61 20  w.menu">..<area
> 73 68 61 70 65 3D 22 72 0D 0A                    shape="r..
> 
> 
> (did build 89 solve your problems, Russell?)
> 
> 
> /Andreas
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 


--                            __________________
                             /\ ___/          
Edwin Eefting               /- \ _/  Business Internet Trends BV
                           /--- \/           __________________





More information about the Snort-users mailing list