[Snort-users] SMTP HELO overflow attempt
andreas at ...1574...
Tue Jul 30 13:42:02 EDT 2002
Em Mon, Jul 29, 2002 at 07:14:17PM -0700, Capps Family escreveu:
> I then configured snort to log with the "X" option. When I compared
> the data captured for that IP with the same data in the tcpdump
> packet, the IP header looks completely different. Tcpdump looks
> perfect, the snort dump ip header data looks like it's been
I've also seen some sort of corruption recently and I also have been scratching
my head. What I see sometimes is some sort of overlapping happening with
the data in the payload of HTTP packets.
I also catched the most weird "scan" (snort called it a FIN scan): a tcp
segment with only FIN set (no ACK flag set, but with an ACK number), directed
to port 53, and with a mail-like payload, with smtp commands, such as "MAIL
FROM:", "DATA" and "QUIT", and a TCP header length of zero. Didn't have a
parallel tcpdump running, so I don't know if the packet was really like this
or if some corruption took place.
I'm using Version 1.8.7beta5 (Build 121)
More information about the Snort-users