I am always somewhat wary of posted packet dumps. However, I would imagine that if you posted to a large list such as the incidents list or bugtraq, with a malicious packet dump, you would be found out quickly, and someone would notify the list. As a precaution, I personally use tcpdump -r <dumpfile> to read the file, and display the contents. I look for strange protocols which have nothing to do with the trace, and will be wary of those. Many of the security holes in ethereal are in lesser known protocols than http. Regarless, here is the packet dump: http://www.cunap.com/~hardingr/attack3.dump -Russell On Sun, 27 Jul 2003, sa7ori wrote: > posts like that you should be wary of. > > > > --- > "The strong give up and move on, while the weak give up and stay." > --- > > On Fri, 25 Jul 2003, Jason Falciola wrote: > > > On 14 Jul 2003 17:35:36 -0000, sgt_b <sgt_b2002at_private> wrote: > > > > > > > > > I've included a link to a tcpdump taken that shows a standard IIS > > > directory-traversal attack. I was looking over the packets and noticed a > > > > > reference to www.google.com. Could someone take a look, and let me know > > > what this is being used for? > > > > > > http://12.208.102.165/attack3.dump > > > atack3.dump=1.6kb > > > > Anyone have a copy of the tcpdump file? The link is dead. > > > > Thanks! > > > > Jason Falciola > > Security Intelligence Analyst > > IBM Managed Security Services > > falciolaat_private > > > > --------------------------------------------------------------------------- > > ---------------------------------------------------------------------------- > > > > --------------------------------------------------------------------------- > ---------------------------------------------------------------------------- > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 12:33:45 PDT