Snort mailing list archives
Re: WEB-IIS MISC forbidden
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 15 Mar 2002 18:36:06 -0500
Both of the mentioned rules are designed to trigger in response to denial messages from a web server sent back to a browser.
I'm going to use X to refer to the machine at IP address x.x.x.x and Y to refer to the machine at y.y.y.y
The most likely case is that a web browser at Y tried to access a webserver at X and X sent back an error message.
It is entirely possible that someone deliberately sent a packet containing that message from X to Y, but there really would not be any point to it. Why would an attacker generate a forged "access denied" message and send it to a network? I guess you could do this in an attempt to block someone's access to a valid website, but that hardly seems useful.
Thus I STRONGLY suspect that X is a real webserver and Y tried to access a page that X decided they were not allowed to access. There is little sense in any other case, and it certainly would not allow X to conduct any kind of significantly useful network attack on Y.
I personally keep these rules disabled. Do I really care how often one of my users tries to access an outside website and is told to go away? I mean, this is so common that I'd get 10+ hits a day out of a smallish network. If I want that information about my own webserver, I can always check the server logs, and it will contain more detail.
It's really up to you to determine which rules are useful to you, but a lot of the rules which indicate relatively ordinary error messages I eliminate from my ruleset (many of the rules fall into this category for me like TTL exceeded, echo-request, echo-reply, gnutella/napster/icq/aim/whatever).
At 11:01 PM 4/12/2002 -0700, Gongya Yu wrote:
Can anyone make a point to this for me ? [**] WEB-MISC 403 Forbidden [**] 08/26-15:06:23.980458 x.x.x.x:80-> y.y.y.y:4415 TCP TTL:128 TOS:0x0 ID:8823 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x844F6263 Ack: 0xC9FE43 Win: 0x443D TcpLen: 32 TCP Options (3) => NOP NOP TS: 8879756 12737173 [**] WEB-IIS Unauthorized IP Access Attempt [**] 08/26-15:06:23.980578 x.x.x.x:80-> y.y.y.y:4415 TCP TTL:128 TOS:0x0 ID:8824 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x844F680B Ack: 0xC9FE43 Win: 0x443D TcpLen: 32 TCP Options (3) => NOP NOP TS: 8879756 12737173 x.x.x.x generates these actively or is triggered by y.y.y.y, then generates these alerts ? What I mean is 1. y.y.y.y tries to access x.x.x.x on port 80 from source port 4415, then x.x.x.x responses with this alert ? 2. or x.x.x.x just tries to access y.y.y.y without any trigger from y.y.y.y thanks in advance !!! Snort user _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-IIS MISC forbidden Gongya Yu (Mar 14)
- Re: WEB-IIS MISC forbidden bthaler (Mar 15)
- Re: WEB-IIS MISC forbidden Gongya Yu (Mar 15)
- Re: WEB-IIS MISC forbidden Matt Kettler (Mar 15)
- Re: WEB-IIS MISC forbidden Gongya Yu (Mar 15)
- Re: WEB-IIS MISC forbidden bthaler (Mar 15)