Dear all,

I am not sure whether the following snapshot captured in snort is an
intrusion pattern in http connection:

07/26-17:27:41.796540 192.168.1.20:1077 -> 218.189.120.80:8888
TCP TTL:64 TOS:0x0 ID:9507 IpLen:20 DgmLen:95 DF
***AP*** Seq: 0x755922F2 Ack: 0x8A8C74F3 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 66848723 2170190
0x0000: 00 02 B3 8A C9 8A 00 01 02 00 68 BD 08 00 45 00 ..........h...E.
0x0010: 00 5F 25 23 40 00 40 06 EC AB C0 A8 01 14 DA BD ._%#@.@.........
0x0020: 8C 50 04 35 22 B8 75 59 22 F2 8A 8C 74 F3 80 18 .P.5".uY"...t...
0x0030: 16 D0 1C 3B 00 00 01 01 08 0A 03 FC 07 D3 00 21 ...;...........!
0x0040: 1D 4E 50 4F 53 54 20 2F 69 6E 64 65 78 2E 68 74 .NPOST /index.ht
0x0050: 6D 6C 3F 63 72 61 70 3D 31 30 35 39 32 31 30 34 ml?crap=10592104

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+=+=+=+=+=+=+

07/26-17:27:41.796587 192.168.1.20:1077 -> 218.189.120.80:8888
TCP TTL:64 TOS:0x0 ID:9508 IpLen:20 DgmLen:56 DF
***AP*** Seq: 0x7559231D Ack: 0x8A8C74F3 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 66848723 2170190
0x0000: 00 02 B3 8A C9 8A 00 01 02 00 68 BD 08 00 45 00 ..........h...E.
....skipping...
0x0040: 1D 52 47 45 54 20 2F 69 6E 64 65 78 2E 68 74 6D .RGET /index.htm
0x0050: 6C 3F 63 72 61 70 3D 31 30 35 39 32 31 30 34 37 l?crap=105921047

Something I found strange in the payload is the crap=1059.... in both
captures.
Is this weird?

Thanks
sam

"sam" <samwun@hgcbroadband.com> wrote in message
news:bftid9$2tvd$1@news.hgc.com.hk...
> Dear all,

Hi

> Something I found strange in the payload is the crap=1059.... in both
> captures. Is this weird?

Hmz.. Intresting, did some googling try looking here.
http://www.google.com/search?q=url+%...html%3Fcrap%22
The second result (Pretty huge) gives loads of results on `crap`

$ egrep 'index.html|crap' 2002.txt |wc -l
61

Seems to be some sort of proxy / http_write request.


--
-[ ViPER - viper@dmrt.net
-[ http://www.dmrt.net
-[ http://www.securitydatabase.net
-[ I am kept in place by G-forces, not seatbelts

I just found that the http.c is in httptunnel. I found the "crap" code
already.

thanks
sam
"sam" <samwun@hgcbroadband.com> wrote in message
news:bgls17$kjb$1@news.hgc.com.hk...
> but I can't find this coding in the current apache source:
>
> [root@redhat local]# cd apache_1.3.28/
> [root@redhat apache_1.3.28]# !find
> find . -type f -print | xargs -n 1 grep -i crap
> crap required to do normal file serving. Place directives such as:
> char *scrap_book;
> scrap_book = ap_pstrdup(r->pool, r->filename);
> scrap_book++;
> last_slash = strrchr(scrap_book, '/');
> metafilename = ap_pstrcat(r->pool, "/", scrap_book, "/",
> * pipes, symlinks, and crap like that.
> /* Fix two really crap problems with Win32 spawn[lv]e*:
> [root@redhat apache_1.3.28]#
> thanks
> sam
>
> "Bas Keur" <viper@dmrt.net> wrote in message
> news:3f25c788$0$147$e4fe514c@dreader5.news.xs4all. nl...
> >
> > "sam" <samwun@hgcbroadband.com> wrote in message
> > news:bftid9$2tvd$1@news.hgc.com.hk...
> > > Dear all,
> >
> > Hi
> >
> > > Something I found strange in the payload is the crap=1059.... in both
> > > captures. Is this weird?
> >
> > Hmz.. Intresting, did some googling try looking here.
> > http://www.google.com/search?q=url+%...html%3Fcrap%22
> > The second result (Pretty huge) gives loads of results on `crap`
> >
> > $ egrep 'index.html|crap' 2002.txt |wc -l
> > 61
> >
> > Seems to be some sort of proxy / http_write request.
> >
> >
> > --
> > -[ ViPER - viper@dmrt.net
> > -[ http://www.dmrt.net
> > -[ http://www.securitydatabase.net
> > -[ I am kept in place by G-forces, not seatbelts
> >
> >
>
>