Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] FP with BLEEDING-EDGE Proxy POST Request -- 2001674

from [Matt Jonkman] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] FP with BLEEDING-EDGE Proxy POST Request -- 2001674
Date: Wed, 06 Apr 2005 18:37:28 -0500
How do you have HTTP_SERVERS defined? If that's not any, or is set to HOME_NET then these falses won't happen.

However, it is interesting that this does hit there. This look like an msn messenger client staying alive, using http rather than the native protocol. Might be going through a proxy, etc.

Matt

Russell Fulton wrote: 
WE are seeing many FP going to hotmail servers...

But only form our dial-up users ???

Russell

[ Home ][ Search ]

META
--------
SID     CID     TimeStamp               Signature
2       852073  2005-04-06 14:45:27     BLEEDING-EDGE Proxy POST Request
Sig ID
2001674

Sensor Hostname                         Sensor Interface
monitor-itss    bge0

IP
--------
Source Address  Dest Address    Ver     Hdr Len
130.216.8.30    207.46.110.29   4       5
TOS     length  ID      flags   offset  TTL     chksum
0       379     25002   2       0       127     53392

Resolved Source
m.penehira.slip.auckland.ac.nz

Resolved Dest
baym-gw29.msgr.hotmail.com

TCP
--------
Source Port Dest Port Seq Ack 3033 80 290657398 3794671764
Offset Reserved Flags Window Checksum Urgent Ptr
5 0 24 8187 58680 0

Options
--------
None


Flags
--------
RB 1 RB 0 URG ACK PSH RST SYN FIN
X X 

DATA
--------
504F535420687474703A    POST http:
2F2F3230372E34362E31    //207.46.1
31302E32392F67617465    10.29/gate
7761792F676174657761    way/gatewa
792E646C6C3F41637469    y.dll?Acti
6F6E3D706F6C6C265365    on=poll&Se
7373696F6E49443D3736    ssionID=76
373538303937352E3939    7580975.99
383720485454502F312E    87 HTTP/1.
310D0A4163636570743A    1..Accept:
202A2F2A0D0A41636365     */*..Acce
70742D4C616E67756167    pt-Languag
653A20656E2D75730D0A    e: en-us..
4163636570742D456E63    Accept-Enc
6F64696E673A20677A69    oding: gzi
702C206465666C617465    p, deflate
0D0A557365722D416765    ..User-Age
6E743A204D534D534753    nt: MSMSGS
0D0A486F73743A203230    ..Host: 20
372E34362E3131302E32    7.46.110.2
390D0A50726F78792D43    9..Proxy-C
6F6E6E656374696F6E3A    onnection:
204B6565702D416C6976     Keep-Aliv
650D0A436F6E6E656374    e..Connect
696F6E3A204B6565702D    ion: Keep-
416C6976650D0A507261    Alive..Pra
676D613A206E6F2D6361    gma: no-ca
6368650D0A436F6E7465    che..Conte
6E742D547970653A2061    nt-Type: a
70706C69636174696F6E    pplication
2F782D6D736E2D6D6573    /x-msn-mes
73656E6765720D0A436F    senger..Co
6E74656E742D4C656E67    ntent-Leng
74683A20300D0A0D0A      th: 0....


--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] FP with BLEEDING-EDGE Proxy POST Request -- 2001674, Russell Fulton
Next by Date:  Re: [Snort-sigs] FP with BLEEDING-EDGE Proxy POST Request -- 2001674, Russell Fulton
Previous by Thread:  [Snort-sigs] FP with BLEEDING-EDGE Proxy POST Request -- 2001674, Russell Fulton
Next by Thread:  Re: [Snort-sigs] FP with BLEEDING-EDGE Proxy POST Request -- 2001674, Russell Fulton
Indexes:  [Date] [Thread] [Top] [All Lists]