[Snort-users] HTTP Protocol Analysis

Sonika Malhotra sonikam at ...4044...
Thu May 13 23:27:03 EDT 2004


Hello List,

I faced a recurrent problem in my network that any request to 
www.google.com , www.rediff.com .. etc was getting redirected to 
www.coolsavings.com.

So the http traffic dump was taken using Snort. ( logger mode of Snort)

The following was found in the HTTP session dump and it can be observed 
that the reply packet had extra appended tags as follows

... rediff Page contents....
<HTML>
<META HTTP-EQUIV=Refresh Content="0; URL=http://www.coolsavings.com">
</HTML>

Now this page is cached at our proxy and so all the requests are 
redirected to new url.

when we disable the caching at proxy the problem is taken care of, but 
the mechanism of doing this is still not known.

I shall be grateful it anybody can explain this process.

Regards
Sonika







More information about the Snort-users mailing list