[Snort-users] Snort 1.9.0 "Payload mixup".

Nils Ulltveit-Moe num at ...8105...
Mon Jan 27 12:36:20 EST 2003


Have any of you experienced "payload mixup" with Snort 1.9.0? In our
case, it is the "ICMP redirect host" rule (SID 472) that seems to
display strange payload. In the three cases below, it seems that
telnet or HTTP sessions are mixed with HTTP traffic from another
session as the content of the ICMP message:

(The data is anonymised)

Example 1:
@耽貼yE[NUL][STX]@[DC3]多@[NUL]q[ACK]其Y\xC3\x95\xC3\x8D\xCB\x9CY at ...8106...[NUL]P[HT]\xE2\x80\x98,[FF]-aK6\xC3\x8F8P[DLE]湛[EOT]脱\xC3\x9C[NUL][NUL]ft }.clsTableDataJustify{ BACKGROUND-COLOR: #eeeeee; FONT-WEIGHT: bold; TEXT-ALIGN: justify }.clsTableDataCenter{ BACKGROUND-COLOR: #eeeeee; FONT-WEIGHT: bold; TEXT-ALIGN: center }.clsTableTextTitle{ FONT-WEIGHT: bold; TEXT-ALIGN: left }.clsTableTextRight{ TEXT-ALIGN: right }.clsTableTextLeft{ TEXT-ALIGN: left }.clsTableTextJustify{ TEXT-ALIGN: justify }.clsTableDataColTitle{ COLOR: #333366; BACKGROUND-COLOR: #9999cc; FONT-SIZE: 11px; FONT-WEIGHT: bold; TEXT-ALIGN: left }.clsTableDataCol{ BACKGROUND-COL

Example 2
@耽貼yE[NUL][SOH]\xE2\x80\x9C[FF][FF]@[NUL]q[ACK]他遜\xC3\x95\xC3\x8D\xCB\x9CU at ...8106...[NUL]P[HT]貼[SO]K[NAK]dK+\xC3\x93<P[CAN]湛蔵\xC3\xA0卒[NUL][NUL]HTTP/1.1 302 Object Moved[CR][LF]Location: http://xxx.xxx.com/redirect.asp?frmSiteStyleId=101234[CR][LF]Server: Microsoft-IIS/5.0[CR][LF]Content-Type: text/html[CR][LF]Content-Length: 186[CR][LF][CR][LF]<head><title>Document Moved</title></head>[LF]<body><h1>Object Moved</h1>This document may be found <a HREF="http://xxx.xxx.com/redirect.asp?frmSiteStyleId=101234">here</a></body>

Example 3
 Doc A > GET /ddapp-images/blank.gif HTTP/1.1[CR][LF]
 Doc A > Accept: */*[CR][LF]
 Doc A > Referer: http://xxx.xxxxxxxxxxxx.com/[CR][LF]
 Doc A > Accept-Language: en-us[CR][LF]
 Doc A > Accept-Encoding: gzip, deflate[CR][LF]
 Doc A > User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)[CR][LF]
 Doc A > Host: xxx.xxxxxxxxxxxx.com[CR][LF]
 Doc A > Connection: Keep-Alive[CR][LF]
Garbage> ckeCountryId=100[CR][LF][CR]lor:#4e4e4e}[CR][LF]
 Doc B > </style>[CR][LF]
 Doc B > [CR][LF]
 Doc B > [CR][LF]
 Doc B > <title>The page cannot be found</title>
 Doc B > [CR][LF]
 Doc B > [CR][LF]
 Doc B > <META HTTP-EQUIV="Content-Type" Content="text-html;
 Doc B > charset=Windows-1252">[CR][LF]
 Doc B > </head>[CR][LF]
 Doc B > [CR][LF]
 Doc B > <script>
 Doc B > [CR][LF]
 Doc B > function Homepage(){[CR][LF]
 Doc B > <!--[CR][LF]// in real bits, urlsget 

Here two documents are mixed together, with some garbage between.

Have you got any clue what this may be?

Nils Ulltveit-Moe

More information about the Snort-users mailing list