North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Pattern matching odd HTTP request

  • From: Jake Khuon
  • Date: Tue Sep 18 15:55:10 2001
  • Action:
  • Dcc:
  • Expires: 
Anyone seeing a lot of these in their webserver logs?

208.202.180.4 - - [18/Sep/2001:11:19:31 -0700] "-" 408 -

I'm attempting to pattern match this on my cisco so I can drop the packets
at the front door.  I can't seem to get a good pattern.  Firing up snoop
yields:

ETHER:  ----- Ether Header -----
ETHER:  
ETHER:  Packet 262 arrived at 11:35:57.88
ETHER:  Packet size = 60 bytes
ETHER:  Destination = 8:0:20:9d:e1:8a, Sun
ETHER:  Source      = 0:1:96:24:c2:41, 
ETHER:  Ethertype = 0800 (IP)
ETHER:  
IP:   ----- IP Header -----
IP:   
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 40 bytes
IP:   Identification = 19380
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 122 seconds/hops
IP:   Protocol = 6 (TCP)
IP:   Header checksum = 5ca8
IP:   Source address = 208.178.66.12, 208.178.66.12
IP:   Destination address = 208.178.117.2, Espresso.NEEBU.Net
IP:   No options
IP:   
TCP:  ----- TCP Header -----
TCP:  
TCP:  Source port = 3082
TCP:  Destination port = 80 (HTTP)
TCP:  Sequence number = 1100924065
TCP:  Acknowledgement number = 2712346555
TCP:  Data offset = 20 bytes
TCP:  Flags = 0x10
TCP:        ..0. .... = No urgent pointer
TCP:        ...1 .... = Acknowledgement
TCP:        .... 0... = No push
TCP:        .... .0.. = No reset
TCP:        .... ..0. = No Syn
TCP:        .... ...0 = No Fin
TCP:  Window = 8760
TCP:  Checksum = 0x6128
TCP:  Urgent pointer = 0
TCP:  No options
TCP:  
HTTP:  ----- HTTP:   -----
HTTP:  
HTTP:  ""
HTTP:  


           0: 0800 209d e18a 0001 9624 c241 0800 4500    .. ......$.A..E.
          16: 0028 4bb4 4000 7a06 5ca8 d0b2 420c d0b2    .([email protected]\...B...
          32: 7502 0c0a 0050 419e c4a1 a1ab 1fbb 5010    u....PA.......P.
          48: 2238 6128 0000 0000 0000 0000              "8a(........


--
/*====================[ Jake Khuon <[email protected]> ]======================+
 | Chief Global Data Network Management Architect      /~_ |_ () |3 /-\ |_ |
 | VOX: +1 (425) 391-2262  Fax: +1 (425) 391-6772      \_| C R O S S I N G |
 +=============[ 900 4th. Ave., Floor 12, Seattle, WA  98164 ]=============*/