[Snort-users] HTTP session packet capture seems borken

Bill McCarty bmccarty at ...5196...
Tue Feb 24 00:16:04 EST 2004


Hi all,

I have a packet capture of an HTTP session that seems broken. In
particular, it looks as though Snort may have confused the inbound and
outbound streams, tacking one onto the other. However, I can't be certain,
since Snort is my only packet capture mechanism for the network involved
in the session.

Here's the capture:

02/03-07:03:21.875360 62.7.227.98:3010 -> X.XX.XX.43:80
TCP TTL:114 TOS:0x0 ID:15092 IpLen:20 DgmLen:201 DF
***AP*** Seq: 0xD59B3FAD  Ack: 0x28C4DBD6  Win: 0x2180  TcpLen: 20
48 45 41 44 20 2F 5F 76 74 69 5F 70 76 74 2F 2E  HEAD /_vti_pvt/.
25 32 35 32 65 2F 2E 25 32 35 32 65 2F 2E 25 32  %252e/.%252e/.%2
35 32 65 2F 2E 25 32 35 32 65 2F 77 69 6E 6E 74  52e/.%252e/winnt
2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78  /system32/cmd.ex
65 3F 2F 63 2B 64 69 72 3F 2F 63 2B 64 69 72 2B  e?/c+dir?/c+dir+
67 3A 5C 20 48 54 54 50 2F 31 2E 30 0D 0A 48 6F  g:\ HTTP/1.0..Ho
73 74 3A 20 xx 2E xx xx 2E xx xx 2E 34 33 0D 0A  st: X.XX.XX.43..
43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65  Content-Type: te
78 74 2F 68 74 6D 6C 0D 0A 43 6F 6E 74 65 6E 74  xt/html..Content
2D 4C 65 6E 67 74 68 3A 20 33 34 32 36 0D 0A 0D  -Length: 3426...
0A                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/03-07:03:21.927212 62.7.227.98:3010 ->X.XX.XX.43:80
TCP TTL:114 TOS:0x0 ID:15348 IpLen:20 DgmLen:576 DF
***A**** Seq: 0xD59B404E  Ack: 0x28C4DBD6  Win: 0x2180  TcpLen: 20
3C 21 44 4F 43 54 59 50 45 20 48 54 4D 4C 20 50  <!DOCTYPE HTML P
55 42 4C 49 43 20 22 2D 2F 2F 57 33 43 2F 2F 44  UBLIC "-//W3C//D
54 44 20 48 54 4D 4C 20 33 2E 32 20 46 69 6E 61  TD HTML 3.2 Fina
6C 2F 2F 45 4E 22 3E 0D 0A 3C 68 74 6D 6C 20 64  l//EN">..<html d
69 72 3D 6C 74 72 3E 0D 0A 0D 0A 3C 68 65 61 64  ir=ltr>....<head
3E 0D 0A 3C 73 74 79 6C 65 3E 0D 0A 61 3A 6C 69  >..<style>..a:li
6E 6B 09 09 09 7B 66 6F 6E 74 3A 38 70 74 2F 31  nk...{font:8pt/1
31 70 74 20 76 65 72 64 61 6E 61 3B 20 63 6F 6C  1pt verdana; col
6F 72 3A 46 46 30 30 30 30 7D 0D 0A 61 3A 76 69  or:FF0000}..a:vi
73 69 74 65 64 09 09 7B 66 6F 6E 74 3A 38 70 74  sited..{font:8pt
2F 31 31 70 74 20 76 65 72 64 61 6E 61 3B 20 63  /11pt verdana; c
6F 6C 6F 72 3A 23 34 65 34 65 34 65 7D 0D 0A 3C  olor:#4e4e4e}..<
2F 73 74 79 6C 65 3E 0D 0A 0D 0A 3C 4D 45 54 41  /style>....<META
20 4E 41 4D 45 3D 22 52 4F 42 4F 54 53 22 20 43   NAME="ROBOTS" C
4F 4E 54 45 4E 54 3D 22 4E 4F 49 4E 44 45 58 22  ONTENT="NOINDEX"
3E 0D 0A 0D 0A 3C 74 69 74 6C 65 3E 54 68 65 20  >....<title>The
70 61 67 65 20 63 61 6E 6E 6F 74 20 62 65 20 64  page cannot be d
69 73 70 6C 61 79 65 64 3C 2F 74 69 74 6C 65 3E  isplayed</title>
0D 0A 0D 0A 3C 4D 45 54 41 20 48 54 54 50 2D 45  ....<META HTTP-E
51 55 49 56 3D 22 43 6F 6E 74 65 6E 74 2D 54 79  QUIV="Content-Ty
70 65 22 20 43 6F 6E 74 65 6E 74 3D 22 74 65 78  pe" Content="tex
74 2D 68 74 6D 6C 3B 20 63 68 61 72 73 65 74 3D  t-html; charset=
57 69 6E 64 6F 77 73 2D 31 32 35 32 22 3E 0D 0A  Windows-1252">..
3C 2F 68 65 61 64 3E 0D 0A 0D 0A 3C 73 63 72 69  </head>....<scri
70 74 3E 20 0D 0A 66 75 6E 63 74 69 6F 6E 20 48  pt> ..function H
6F 6D 65 70 61 67 65 28 29 7B 0D 0A 3C 21 2D 2D  omepage(){..<!--
0D 0A 2F 2F 20 69 6E 20 72 65 61 6C 20 62 69 74  ..// in real bit
73 2C 20 75 72 6C 73 20 67 65 74 20 72 65 74 75  s, urls get retu
72 6E 65 64 20 74 6F 20 6F 75 72 20 73 63 72 69  rned to our scri
70 74 20 6C 69 6B 65 20 74 68 69 73 3A 0D 0A 2F  pt like this:../
2F 20 72 65 73 3A 2F 2F 73 68 64 6F 63 76 77 2E  / res://shdocvw.
64 6C 6C 2F 68 74 74 70 5F 34 30 34 2E 68 74 6D  dll/http_404.htm
23 68 74 74 70 3A 2F 2F 77 77 77 2E 44 6F 63 55  #http://www.DocU
52 4C 2E 63 6F 6D 2F 62                          RL.com/b

I haven't seen many HTTP requests that send DOCTYPE and HTML or Javascript 
to the server <g>.

My preprocessor configuration follows:

preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode 
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor telnet_decode
preprocessor bo: -nobrute
#preprocessor asn1_decode

My Snort is "Version 2.0.6 (Build 100)," running under a customized Linux 
distribution.

Thoughts, anyone? Thanks!


---------------------------------------------------
Bill McCarty





More information about the Snort-users mailing list