Re: Odd string in packet...

From: Frank de Lange (secf-frankat_private)
Date: Fri Jan 25 2002 - 09:01:23 PST

  • Next message: James Hoagland: "Re: Odd connection attempts from many addresses"

    On Fri, Jan 25, 2002 at 08:51:54AM -0500, Grimes, Shawn (NIA/IRP) wrote:
    > This may be normal but who knows.  I picked up the following alert today:
    ...
    > 220 : 7D 7C 7C 7C 7B 7B 7B 7A 7A 7A 79 79 79 78 78 78   }|||{{{zzzyyyxxx
    > 230 : 77 77 77 76 76 76 75 75 75 74 74 74 73 73 73 72   wwwvvvuuutttsssr
    > 240 : 72 72 71 71 71 70 70 70 6F 6F 6F 6E 6E 6E 6D 6D   rrqqqpppooonnnmm
    ...
    > Could this be a normal http/webmail packet?  But it almost seems to me that
    > someone reversed the alphabet to maybe bypass some intrusion detection
    > systems that would pick up on it in the packet?  Any ideas?  Below is the
    > full packet contents.
    
    Looks like part of an image file to me, probably it is just (part of) a .gif or
    .png. I get these alerts in snort all the time. I view them in the same light
    as the 'x86 shellcode' alert, which pops up every now and then in an image file
    which contains some 'NOP opcodes'.
    
    Cheers//Frank
    -- 
      WWWWW      _______________________
     ## o o\    /     Frank de Lange     \
     }#   \|   /                          \
      ##---# _/     <Hacker for Hire>      \
       ####   \      +31-320-252965        /
               \ secf-frankat_private  /
                -------------------------
     [ "Omnis enim res, quae dando non deficit, dum habetur
        et non datur, nondum habetur, quomodo habenda est."  ]
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 09:13:56 PST