Re: Odd string in packet...

From: Frank de Lange (secf-frank@unternet.org)
Date: 01/25/02 

Date: Fri, 25 Jan 2002 18:01:23 +0100
From: Frank de Lange <secf-frank@unternet.org>
To: "Grimes, Shawn (NIA/IRP)" <GrimesSh@grc.nia.nih.gov>

On Fri, Jan 25, 2002 at 08:51:54AM -0500, Grimes, Shawn (NIA/IRP) wrote:
> This may be normal but who knows. I picked up the following alert today:
...
> 220 : 7D 7C 7C 7C 7B 7B 7B 7A 7A 7A 79 79 79 78 78 78 }|||{{{zzzyyyxxx
> 230 : 77 77 77 76 76 76 75 75 75 74 74 74 73 73 73 72 wwwvvvuuutttsssr
> 240 : 72 72 71 71 71 70 70 70 6F 6F 6F 6E 6E 6E 6D 6D rrqqqpppooonnnmm
...
> Could this be a normal http/webmail packet? But it almost seems to me that
> someone reversed the alphabet to maybe bypass some intrusion detection
> systems that would pick up on it in the packet? Any ideas? Below is the
> full packet contents.

Looks like part of an image file to me, probably it is just (part of) a .gif or
.png. I get these alerts in snort all the time. I view them in the same light
as the 'x86 shellcode' alert, which pops up every now and then in an image file
which contains some 'NOP opcodes'.

Cheers//Frank 

-- 
  WWWWW      _______________________
 ## o o\    /     Frank de Lange     \
 }#   \|   /                          \
  ##---# _/     <Hacker for Hire>      \
   ####   \      +31-320-252965        /
           \ secf-frank@unternet.org  /
            -------------------------
 [ "Omnis enim res, quae dando non deficit, dum habetur
    et non datur, nondum habetur, quomodo habenda est."  ]

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Odd string in packet...
    ... I picked up the following alert today: ... our side that receiving these packets is an apache web server running on Red ... So we have a few IIS servers ... happened to click on one an included in the packet ...
    (Incidents)
  • Double hits with CodeRedII
    ... Subject: 'Double' hits with CodeRedII ... alert and the additional CodeRedII alert. ... rule will match on the first packet and the CodeRedII ...
    (Incidents)
  • RE: Intrusion Prevention
    ... Gives you the capability ... to either look at just the packet that caused the alert, ... NSS test results... ...
    (Focus-IDS)