[Snort-users] HTTP Protocol Analysis

Sonika Malhotra sonikam at ...4044...
Fri May 14 04:46:12 EDT 2004

Hello Christo,

we suspect the proxy server more than the user PC in this case, since we 
are facing this problem from multiple user PC's and
as soon as we disable the proxy-caching, the redirection doesn't happen.
and I have checked the proxy server, no extra processes are running on 
the server.

The cached file in the proxy is poisoned and so all subsequent requests 
get redirected.
How to find how this cache-page is altered.? whether the 
"persistent-connection" is the culprit or is it something related with 


Christo Louw wrote:

>Normally www.coolsavings.com is activated by a memory resident program that
>redirects your browser's output.  If you are on a newtork, I suggest that
>you open on each pc the task manager, and look for a program called
>save.exe, or any other procces that looks unformiliar to your system setup.
>That machine will send the redirection page to your proxy and therefor
>updates it continouisly.
>----- Original Message ----- 
>From: "Sonika Malhotra" <sonikam at ...4044...>
>To: "snort-users" <snort-users at lists.sourceforge.net>
>Sent: Friday, May 14, 2004 8:33 AM
>Subject: [Snort-users] HTTP Protocol Analysis
>>Hello List,
>>I faced a recurrent problem in my network that any request to
>>www.google.com , www.rediff.com .. etc was getting redirected to
>>So the http traffic dump was taken using Snort. ( logger mode of Snort)
>>The following was found in the HTTP session dump and it can be observed
>>that the reply packet had extra appended tags as follows
>>... rediff Page contents....
>><META HTTP-EQUIV=Refresh Content="0; URL=http://www.coolsavings.com">
>>Now this page is cached at our proxy and so all the requests are
>>redirected to new url.
>>when we disable the caching at proxy the problem is taken care of, but
>>the mechanism of doing this is still not known.
>>I shall be grateful it anybody can explain this process.
>>This SF.Net email is sponsored by: SourceForge.net Broadband
>>Sign-up now for SourceForge Broadband and get the fastest
>>6.0/768 connection for only $19.95/mo for the first 3 months!
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>Snort-users list archive:

More information about the Snort-users mailing list