[Snort-users] snort mixes multiple (unrelated) payloads into one alert

Hello,

I have a couple of dozen individual snort sensors that are all having the
same problem.  When one of them logs an alert, it seems to quite frequently
mix payload data from other unrelated packets into that alert.

For example, below is a packet alerted on, it is an FTP signature, and
portions of the payload are obviously HTTP traffic.  The destination host
does not even run an HTTP service.  This happens on many different
signatures; I can see no pattern to it.  This is driving me nuts with false
positives as well as making investigation very difficult.

Any help anybody can lend is greatly appreciated.

#(18 - 16565706) [2006-07-20 00:23:55]  FTP format string attempt
IPv4: 202.180.175.138 -> 10.24.7.111
      hlen=5 TOS=16 dlen=225 ID=0 flags=0 offset=0 TTL=240 chksum=0
TCP:  port=43606 -> dport: 21  flags=***AP*** seq=2041221560
      ack=594432217 off=5 res=0 win=1460 urp=0 chksum=0
Payload:  length = 185

000 : 47 45 54 20 2F 62 2F 73 73 2F 6D 73 6E 70 6F 72   GET /b/ss/msnpor
010 : 74 61 6C 65 61 72 74 68 2F 31 2F 48 2E 31 2D 70   talearth/1/H.1-p
020 : 64 52 4D 44 20 73 61 72 63 61 78 78 6F 0D 0A 55   dRMD sarcaxxo..U
030 : 53 45 52 20 41 64 6D 69 6E 69 73 74 72 61 74 6F   SER Administrato
040 : 72 0D 0A 31 39 2F 36 2F 32 30 30 36 25 32 30 32   r..19/6/2006%202
050 : 30 25 33 41 32 33 25 33 41 35 37 25 32 30 33 25   0%3A23%3A57%203%
060 : 32 30 32 34 30 26 6E 73 3D 6D 73 6E 70 6F 72 74   20240&ns=msnport
070 : 61 6C 26 70 61 67 65 4E 61 6D 65 3D 56 45 25 32   al&pageName=VE%2
080 : 30 25 37 43 25 32 30 48 6F 6D 65 25 32 30 50 61   0%7C%20Home%20Pa
090 : 67 65 26 67 3D 68 74 74 70 25 33 41 2F 2F 6C 6F   ge&g=http%3A//lo
0a0 : 63 61 6C 2E 6C 69 76 65 2E 63 6F 52 4D 44 20 73   cal.live.coRMD s
0b0 : 61 72 63 61 78 78 6F 0D 0A                        arcaxxo..

-- 
Eric J. Bowser
Bright.Net NE / Doylestown Communications, Inc.
800-535-6423 toll-free
www.neobright.net
www.doyestowncommunications.com

ÂProviding advanced communications since 1899.Â

signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users