[Snort-users] HTTP Protocol Analysis

Keith W. McCammon keith-list at ...6015...
Mon May 17 06:42:08 EDT 2004


It's a small set, but check out the malware.rules file:

http://www.armc.org/malware/


Ms.Sonika Malhotra wrote:
> Is there a tool to detect the spyware in LAN? ie perhaps I can run
> tool from a single host and get a list of suspicious programs running on
> different hosts in the LAN.
> 
> Regards
> 
> On Mon, 17 May 2004, Uso wrote:
> 
> 
>>Looks like spyware. I would run spybot on PCs and server and then have a 2nd
>>look.
>>regards
>>Uso
>>----- Original Message -----
>>From: "Sonika Malhotra" <sonikam at ...4044...>
>>To: "snort-users" <snort-users at lists.sourceforge.net>
>>Sent: Friday, May 14, 2004 10:33 AM
>>Subject: [Snort-users] HTTP Protocol Analysis
>>
>>
>>
>>>Hello List,
>>>
>>>I faced a recurrent problem in my network that any request to
>>>www.google.com , www.rediff.com .. etc was getting redirected to
>>>www.coolsavings.com.
>>>
>>>So the http traffic dump was taken using Snort. ( logger mode of Snort)
>>>
>>>The following was found in the HTTP session dump and it can be observed
>>>that the reply packet had extra appended tags as follows
>>>
>>>... rediff Page contents....
>>><HTML>
>>><META HTTP-EQUIV=Refresh Content="0; URL=http://www.coolsavings.com">
>>></HTML>
>>>
>>>Now this page is cached at our proxy and so all the requests are
>>>redirected to new url.
>>>
>>>when we disable the caching at proxy the problem is taken care of, but
>>>the mechanism of doing this is still not known.
>>>
>>>I shall be grateful it anybody can explain this process.
>>>
>>>Regards
>>>Sonika
>>>
>>>
>>>
>>>
>>>
>>>-------------------------------------------------------
>>>This SF.Net email is sponsored by: SourceForge.net Broadband
>>>Sign-up now for SourceForge Broadband and get the fastest
>>>6.0/768 connection for only $19.95/mo for the first 3 months!
>>>http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
>>>_______________________________________________
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list