[Snort-users] Payload with Additional Data
Dean De Beer
ddb at ...13002...
Mon Feb 7 07:07:30 EST 2005
I don't know if anyone has experienced this in the past but I recently
installed the bleeding snort ruleset through IDS Manager [recently installed
the manager out of curiosity cause everything is Microsoft here] - no
problems doing the updates, but recently I saw some unusual traffic and I am
not sure if it is related to this. A user was logging on to zone.msn.com
(online games) signing in using SSL. The other instance occured when another
user was logging into a portal also using SSL.
BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization.
The above were the rules that flagged the traffic. The unusual thing is that
part of the payload included data from a seperate subnet and VLAN. The
computers that were accessing one of our databases were on a seperate subnet
and VLAN. They were connected to the web at the time. All traffic from these
specific computers, on both VLANs, passes through the same switch. Traffic
from the stations accessing the database showed up in the payload of
stations on the different VLAN that were accessing the web.
The tcpdump.log file does not show the HTTP/SSL traffic as containing the
addtional data. This sensor is on a spanning port on a Cisco switch so it
would see traffic from both VLANS.
Is it possible that somehow the data was merged while being logged to MySQL
I do have traffic capures and related info if needed.
thanks in advance,
Manager of Information Technology
Plaza College Way
Tel: (718) 779-1430 ext.115
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users