On Fri, Jan 25, 2002 at 08:51:54AM -0500, Grimes, Shawn (NIA/IRP) wrote:
> This may be normal but who knows. I picked up the following alert today:
...
> 220 : 7D 7C 7C 7C 7B 7B 7B 7A 7A 7A 79 79 79 78 78 78 }|||{{{zzzyyyxxx
> 230 : 77 77 77 76 76 76 75 75 75 74 74 74 73 73 73 72 wwwvvvuuutttsssr
> 240 : 72 72 71 71 71 70 70 70 6F 6F 6F 6E 6E 6E 6D 6D rrqqqpppooonnnmm
...
> Could this be a normal http/webmail packet? But it almost seems to me that
> someone reversed the alphabet to maybe bypass some intrusion detection
> systems that would pick up on it in the packet? Any ideas? Below is the
> full packet contents.
Looks like part of an image file to me, probably it is just (part of) a .gif or
.png. I get these alerts in snort all the time. I view them in the same light
as the 'x86 shellcode' alert, which pops up every now and then in an image file
which contains some 'NOP opcodes'.
Cheers//Frank
--
WWWWW _______________________
## o o\ / Frank de Lange \
}# \| / \
##---# _/ <Hacker for Hire> \
#### \ +31-320-252965 /
\ secf-frankat_private /
-------------------------
[ "Omnis enim res, quae dando non deficit, dum habetur
et non datur, nondum habetur, quomodo habenda est." ]
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 09:13:56 PST