[Snort-users] HELP! Is snort combining packets??

Sheahan, Paul Paul.Sheahan at ...2218...
Fri Nov 14 12:40:22 EST 2003


I'm using Red Hat Linux 7.0 and Snort 1.9.0. Yes I know I need to upgrade but I want to know if anyone has seen this before anyway:

IP addresses in the sample packet below are masked though this was a packet from a system on the Internet to a public web server. Notice the packet has multiple "GET /" statements, and has multiple User-Agent Headers, and multiple SITESERVER headers etc. It looks like a bunch of packets mangled together. Because of this, it appears a source address on the Internet is sending information they normally wouldn't send or have knowledge of. We see this kind of "mangling" happen randomly and it causes Snort to set off alerts when there probably shouldn't be.

Has anyone else ever seen this before? Maybe something wrong with packet reassembly? Please help.

Thanks,
Paul


Sample packet from Snort capture:

	11/13-01:28:15.460643 x.x.x.x:40473 -> webserver:80
	TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1262
	***AP*** Seq: 0xFC454D55  Ack: 0xCEB1D377  Win: 0x40B0  TcpLen: 20
	GET /images/global/path_tabs_02.gif HTTP/1.1..Accept: */*..Refer
	er: http://www.server.com/travel/airlines/lang/en-us/itinerar
	y.asp?session_key=x0x0x1xCx1x0x1xCx0x3x1x3x6x3x8x5x5x0x9xx37&plf
	=comp&Refid=PLGOTO&RefClickID=A5046..Accept-Language: ko..Accept  
	-Encoding: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; M
	SIE 6.0; Windows NT 5.1)..Host: www.server.com..Connection: K
	eep-Alive..Cookie: SITESERVER=ID=56437973b4938389893628809bbcc7b
	6; Referral=ClickID1=A5046&ProductID1=1&SourceID1=PL&WebEntryTim
	e1=11%2F13%2F2003+1%3A34%3A39&ID1=GOTO; PSessKey=410011AC420011A
	C20031113063439759500498401....ebEntryTime1=11%2F13%2F2003+1%3A3
	3%3A29&ID1=GOTO&ProductID1=1&SourceID1=PL; PSessKey=400011AC4100
	11AC20031113063328757500490337....XXXXGET /imagesGET /images/cus
	tService.gif HTTP/1.1..Accept: */*..Referer: http://www.server2.com/airlines/default.asp?refid=PALOWESGET /images/hp/jamaica_
	breezes.gif HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 
	5.5; Windows NT)..Accept: */*..Host: www.server.com..Cookie: SITESERVER=ID=4cc1b75091c61f1dacda993d625554
	d7; PSessKey=x1x0x1xCx2x0x1xCx0x3x1x3x6x4x6x4x6x0x3x8x1..Pragma:
	 No-Cache....ne.com..Connection: Keep-Alive..Cookie: SITESERVER=  
	ID=06e





More information about the Snort-users mailing list