On Fri, Jan 25, 2002 at 08:51:54AM -0500, Grimes, Shawn (NIA/IRP) wrote: > This may be normal but who knows. I picked up the following alert today: ... > 220 : 7D 7C 7C 7C 7B 7B 7B 7A 7A 7A 79 79 79 78 78 78 }|||{{{zzzyyyxxx > 230 : 77 77 77 76 76 76 75 75 75 74 74 74 73 73 73 72 wwwvvvuuutttsssr > 240 : 72 72 71 71 71 70 70 70 6F 6F 6F 6E 6E 6E 6D 6D rrqqqpppooonnnmm ... > Could this be a normal http/webmail packet? But it almost seems to me that > someone reversed the alphabet to maybe bypass some intrusion detection > systems that would pick up on it in the packet? Any ideas? Below is the > full packet contents. Looks like part of an image file to me, probably it is just (part of) a .gif or .png. I get these alerts in snort all the time. I view them in the same light as the 'x86 shellcode' alert, which pops up every now and then in an image file which contains some 'NOP opcodes'. Cheers//Frank -- WWWWW _______________________ ## o o\ / Frank de Lange \ }# \| / \ ##---# _/ <Hacker for Hire> \ #### \ +31-320-252965 / \ secf-frankat_private / ------------------------- [ "Omnis enim res, quae dando non deficit, dum habetur et non datur, nondum habetur, quomodo habenda est." ] ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 09:13:56 PST