Menu
▾
▴
AW: AW: [Snort-inline-users] no tcp header
|
From: Jochen V. <jv...@it...> - 2004-10-20 09:00:33
|
if i correlate the IDS log with the IPS log i can see the different header structure. i think that barnyard have problems to parse it correctly? and see that the point "TCP Options" is missing. ---------------------------------------------------------------- IPS [**] WEB-MISC /etc/passwd [**] 10/15-09:41:46.075405 195.245.50.253:16365 -> 195.245.50.252:80 TCP TTL:127 TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF ***AP*** Seq: 0x669EF8CC Ack: 0x5D3677B5 Win: 0xFAF0 TcpLen: 20 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20 GET /etc/passwd 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 HTTP/1.1..Host: 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A 195.245.50.252.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi ------------------------------------------------------------- IDS [**] WEB-MISC /etc/passwd [**] 10/20-10:38:59.304913 0:8:21:B8:AB:23 -> 0:0:D1:1E:EB:9E type:0x800 len:0x214 80.145.180.112:2193 -> 195.245.50.252:80 TCP TTL:53 TOS:0x0 ID:48351 IpLen:20 DgmLen:518 DF ***AP*** Seq: 0xC6089571 Ack: 0x5C7AFFCD Win: 0x16B0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 3183946206 504897406 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20 GET /etc/passwd 48 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74 HTTP/1.0..Accept 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61 : image/gif, ima 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D ge/x-xbitmap, im 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F age/jpeg, image/ 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69 pjpeg, applicati |
