[Snort-users] HELP! Is snort combining packets??
Paul.Sheahan at ...2218...
Fri Nov 14 12:40:22 EST 2003
I'm using Red Hat Linux 7.0 and Snort 1.9.0. Yes I know I need to upgrade but I want to know if anyone has seen this before anyway:
IP addresses in the sample packet below are masked though this was a packet from a system on the Internet to a public web server. Notice the packet has multiple "GET /" statements, and has multiple User-Agent Headers, and multiple SITESERVER headers etc. It looks like a bunch of packets mangled together. Because of this, it appears a source address on the Internet is sending information they normally wouldn't send or have knowledge of. We see this kind of "mangling" happen randomly and it causes Snort to set off alerts when there probably shouldn't be.
Has anyone else ever seen this before? Maybe something wrong with packet reassembly? Please help.
Sample packet from Snort capture:
11/13-01:28:15.460643 x.x.x.x:40473 -> webserver:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1262
***AP*** Seq: 0xFC454D55 Ack: 0xCEB1D377 Win: 0x40B0 TcpLen: 20
GET /images/global/path_tabs_02.gif HTTP/1.1..Accept: */*..Refer
-Encoding: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; M
SIE 6.0; Windows NT 5.1)..Host: www.server.com..Connection: K
11AC20031113063328757500490337....XXXXGET /imagesGET /images/cus
tService.gif HTTP/1.1..Accept: */*..Referer: http://www.server2.com/airlines/default.asp?refid=PALOWESGET /images/hp/jamaica_
breezes.gif HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE
5.5; Windows NT)..Accept: */*..Host: www.server.com..Cookie: SITESERVER=ID=4cc1b75091c61f1dacda993d625554
No-Cache....ne.com..Connection: Keep-Alive..Cookie: SITESERVER=
More information about the Snort-users