[Snort-users] Incorrect payload on acid alerts

M. Shirk shirkdog_linux at ...125...
Wed Nov 10 05:45:01 EST 2004


I am able to receive multiple HTTP connections as single alerts. The *bot 
variants that blow up alot of ports and send the webdav search overflow 
generate about 12 separate alerts for each full length packet to tcp port 
80. I will get the apparent overflow packets in order.

(Start of packets, and these are followed by alerts with just the hex data)
53 45 41 52 43 48 20 2F 90 02 B1 02 B1 02 B1 02  SEARCH /........
B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02  ................
B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02  ................
B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02  ...............

53 45 41 52 43 48 20 2F 90 C9 C9 C9 C9 C9 C9 C9  SEARCH /........
C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9  ................
C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9  ................
C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9 C9  ................


Shirkdog


>From: Jason Haar <Jason.Haar at ...294...>
>To: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Incorrect payload on acid alerts
>Date: Wed, 10 Nov 2004 15:09:24 +1300
>
>Joshua Berry wrote:
>
>>Several times I have seen a similar issue for HTTP sessions where
>>multiple HTTP connections are shown for own alert.  It appears that
>>several sessions had been combined into a single snort alert and many of
>>these sessions did not match any of the signatures.
>>
>>
>
>I hate to do a "me too" - but, me too.
>
>I was sitting on it until I could come up with something more substantial 
>to help find the problem, but I've seen snort trigger a "EXPLOIT ssh CRC32 
>overflow NOOP" between two hosts I control, and yet the packet captured by 
>snort was actually HTTP headers bunged onto the end of some binary data.
>
>It wasn't SSH data, it wasn't HTTP data, it was...? Packet length was 2630 
>- which makes me think there's still a bug in how snort aggregates packets 
>together into flows
>
>This was snort-2.2.0 under Fedora Core 2
>
>Jason

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/





More information about the Snort-users mailing list