RE: Unusual http traffic

[Fraser Hugh <hugh_fraser () dofasco ca>]

They're from an IIS server.

> -----Original Message-----
> From: Chris Green [mailto:cmg () uab edu]
> Sent: Monday, October 22, 2001 5:01 PM
> To: Fraser Hugh
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Unusual http traffic
>
>
> Fraser Hugh <hugh_fraser () dofasco ca> writes:
>
> > 1.  (*) text/plain          ( ) text/html           
> >
> > I've turned off the Code Red and Nimda alert rules since we've
> > comfortable with our ability to deal with those on the servers
> > themselves. It's more the balance of the URL that looked unusual.
>
> Is your webserver where you got those logs from?  It really looks like
> your webserver is interpreting the extra characters that form the /../
> part as TLS/SSL control commands.
>
> What webserver is that?
>
> If you turned off the rules, you're not going to see that. Cmd.exe
> rules catch common attacks from several differnt types and not just
> code red but they certainly aren't 100% reliable.
> -- 
> Chris Green <cmg () uab edu>
> I've had a perfectly wonderful evening. But this wasn't it.
>      -- Groucho Marx

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users