[Snort-users] mismatch.

Ashley Thomas athomas at ...5484...
Fri Jun 28 22:31:02 EDT 2002


I see a small mismatch while analysing the WEB-IIS cmd.exe alert

The packet log in snort has:

[**] WEB-IIS cmd.exe access [**]
06/29-04:51:50.373173 144.75.187.54:2218 -> A.B.C.D:80
TCP TTL:113 TOS:0x0 ID:30233 IpLen:20 DgmLen:99 DF
***AP*** Seq: 0x47D90438  Ack: 0xB49599E3  Win: 0x4470  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79  5c%5c../winnt/sy
73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F  stem32/cmd.exe?/
63 2B 64 69 72 0D 0A                             c+dir..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

While i view the same packet through tcpdump or ethereal i see:

<only the http part>

47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
32 35 35 63 25 32 35 35 63 2E 2E 2F 77 69 6E 6E  255c%255c../winn
74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65  t/system32/cmd.e
78 65 3F 2F 63 2B 64 69 72 0D 0A                 xe?/c+dir..


-- In the original packet it was 255c%255c% but when snort logs
   it logs only 5c%5c%

   Is this because of some decoding that happens like http or unicode ?


thanks
ashley




------------------------------------------------------------------------
What I do today is important because I am paying a day of my life for it. 
------------------------------------------------------------------------




More information about the Snort-users mailing list