[Snort-users] Payload with Additional Data

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C50CFC.55E6D410
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I don't know if anyone has experienced this in the past but I recently
installed the bleeding snort ruleset through IDS Manager [recently =
installed
the manager out of curiosity cause everything is Microsoft here] - no
problems doing the updates, but recently I saw some unusual traffic and =
I am
not sure if it is related to this. A user was logging on to zone.msn.com
(online games) signing in using SSL. The other instance occured when =
another
user was logging into a portal also using SSL.=20

BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization.=20
BLEEDING-EDGE WEB-MISC cross site scripting attempt to execute =
Javascript
code=20
BLEEDING-EDGE WEB-MISC cross site scripting attempt TYPE + JAVASCRIPT=20
=20
The above were the rules that flagged the traffic. The unusual thing is =
that
part of the payload included data from a seperate subnet and VLAN. The
computers that were accessing one of our databases were on a seperate =
subnet
and VLAN. They were connected to the web at the time. All traffic from =
these
specific computers, on both VLANs, passes through the same switch. =
Traffic
from the stations accessing the database showed up in the payload of
stations on the different VLAN that were accessing the web.

The tcpdump.log file does not show the HTTP/SSL traffic as containing =
the
addtional data. This sensor is on a spanning port on a Cisco switch so =
it
would see traffic from both VLANS.

Is it possible that somehow the data was merged while being logged to =
MySQL
(v4.1)?

I do have traffic capures and related info if needed.

thanks in advance,=20
=20
Dean
=20
Manager of Information Technology
Plaza College
Plaza College Way
Jackson Heights
NY 11372
Tel: (718) 779-1430 ext.115
=20

------=_NextPart_000_0001_01C50CFC.55E6D410
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2800.1479" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman" =
size=3D3>&nbsp;I don't=20
know if anyone has experienced this in the past but I recently installed =
the=20
bleeding snort ruleset through IDS Manager [recently installed the =
manager out=20
of curiosity cause everything is Microsoft here] - no problems doing the =

updates, but&nbsp;<SPAN class=3D490350015-07022005>recently</SPAN> I saw =
some=20
unusual traffic and I am not sure if it is related to this. A user was =
logging=20
on to zone.msn.com (online games) signing in using SSL. The other =
instance=20
occur<SPAN class=3D490350015-07022005>ed</SPAN> when another user was =
logging into=20
a portal also using SSL. </FONT>
<DIV><SPAN class=3D089381618-04022005><BR>BLEEDING-EDGE WEB-IIS ASP.net =
Auth=20
Bypass / Canonicalization. </SPAN></DIV>
<DIV><SPAN class=3D089381618-04022005>BLEEDING-EDGE WEB-MISC cross site =
scripting=20
attempt to execute Javascript code </SPAN></DIV>
<DIV><SPAN class=3D089381618-04022005>BLEEDING-EDGE WEB-MISC cross site =
scripting=20
attempt TYPE + JAVASCRIPT </SPAN></DIV>
<DIV><SPAN class=3D089381618-04022005></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D089381618-04022005><SPAN =
class=3D490350015-07022005>The above=20
</SPAN>were the rules that flagged the traffic. The unusual thing is =
that part=20
of the payload included data from a seperate subnet and VLAN. The =
computers that=20
were accessing one of our databases were on a seperate subnet and VLAN. =
They=20
were connected to the web at the time. All traffic from =
these&nbsp;specific=20
computers<SPAN class=3D490350015-07022005>,</SPAN> on both VLANs<SPAN=20
class=3D490350015-07022005>,</SPAN> pass<SPAN =
class=3D490350015-07022005>es</SPAN>=20
through the same switch. Traffic from the stations accessing the =
database showed=20
up in the payload of stations<SPAN class=3D490350015-07022005>&nbsp;on =
the=20
different VLAN</SPAN>&nbsp;that were accessing the web.<BR><BR>The =
tcpdump.log=20
file does not show the HTTP/SSL traffic as containing the addtional =
data. This=20
sensor is on a spanning port on a Cisco switch so it would see traffic =
from both=20
VLANS.<BR><BR>Is it possible that somehow the data was merged while =
being logged=20
to MySQL (v4.1)?<BR><BR>I do have traffic capures and related info if=20
needed.<BR><BR>thanks in advance, <!--StartFragment --></SPAN></DIV>
<DIV>&nbsp;</DIV>
<DIV align=3Dleft><FONT face=3D"Book Antiqua"><SPAN=20
class=3D089381618-04022005>Dean</SPAN></FONT></DIV></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV align=3Dleft><FONT face=3D"Book Antiqua" size=3D2>Manager of =
Information=20
Technology</FONT></DIV>
<DIV align=3Dleft><FONT face=3D"Book Antiqua" size=3D2>Plaza =
College</FONT></DIV>
<DIV align=3Dleft><FONT face=3D"Book Antiqua" size=3D2>Plaza College =
Way</FONT></DIV>
<DIV align=3Dleft><FONT face=3D"Book Antiqua" size=3D2>Jackson =
Heights</FONT></DIV>
<DIV align=3Dleft><FONT face=3D"Book Antiqua" size=3D2>NY =
11372</FONT></DIV>
<DIV align=3Dleft><FONT face=3D"Book Antiqua" size=3D2>Tel: (718) =
779-1430=20
ext.115</FONT></DIV>
<DIV>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0001_01C50CFC.55E6D410--




-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users