[Snort-users] Payload with Additional Data

Dean De Beer ddb at ...13002...
Mon Feb 7 07:07:30 EST 2005


 I don't know if anyone has experienced this in the past but I recently
installed the bleeding snort ruleset through IDS Manager [recently installed
the manager out of curiosity cause everything is Microsoft here] - no
problems doing the updates, but recently I saw some unusual traffic and I am
not sure if it is related to this. A user was logging on to zone.msn.com
(online games) signing in using SSL. The other instance occured when another
user was logging into a portal also using SSL. 

BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization. 
BLEEDING-EDGE WEB-MISC cross site scripting attempt to execute Javascript
code 
BLEEDING-EDGE WEB-MISC cross site scripting attempt TYPE + JAVASCRIPT 
 
The above were the rules that flagged the traffic. The unusual thing is that
part of the payload included data from a seperate subnet and VLAN. The
computers that were accessing one of our databases were on a seperate subnet
and VLAN. They were connected to the web at the time. All traffic from these
specific computers, on both VLANs, passes through the same switch. Traffic
from the stations accessing the database showed up in the payload of
stations on the different VLAN that were accessing the web.

The tcpdump.log file does not show the HTTP/SSL traffic as containing the
addtional data. This sensor is on a spanning port on a Cisco switch so it
would see traffic from both VLANS.

Is it possible that somehow the data was merged while being logged to MySQL
(v4.1)?

I do have traffic capures and related info if needed.

thanks in advance, 
 
Dean
 
Manager of Information Technology
Plaza College
Plaza College Way
Jackson Heights
NY 11372
Tel: (718) 779-1430 ext.115
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050207/cdd2d7b2/attachment.html>


More information about the Snort-users mailing list