[Snort-users] SMTP HELO overflow attempt

Andreas Hasenack andreas at ...1574...
Tue Jul 30 13:42:02 EDT 2002


Em Mon, Jul 29, 2002 at 07:14:17PM -0700, Capps Family escreveu:
>    I then configured snort to log with the "X" option.  When I compared
>    the data captured for that IP with the same data in the tcpdump
>    packet, the IP header looks completely different.  Tcpdump looks
>    perfect, the snort dump ip header data looks like it's been
>    corrupted.

I've also seen some sort of corruption recently and I also have been scratching
my head. What I see sometimes is some sort of overlapping happening with
the data in the payload of HTTP packets.

I also catched the most weird "scan" (snort called it a FIN scan): a tcp
segment with only FIN set (no ACK flag set, but with an ACK number), directed
to port 53, and with a mail-like payload, with smtp commands, such as "MAIL
FROM:", "DATA" and "QUIT", and a TCP header length of zero. Didn't have a
parallel tcpdump running, so I don't know if the packet was really like this
or if some corruption took place.

I'm using Version 1.8.7beta5 (Build 121)





More information about the Snort-users mailing list