Snort mailing list archives
RE: IDS126/X11_OUTGOING_XTERM ?
From: "Jordi Vila" <jvm () gtd es>
Date: Thu, 13 Jun 2002 17:33:36 +0200
Hello Hilton. On my network this occurs often. It seems that somebody on your internal network is connecting to a X server. The firewall recognizes the XDMCP protocol used by your internal client, and it opens the required connections to allow the external X server connect to the internal client and establish a X session. Just my 0.02 Euro
-----Mensaje original----- De: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]En nombre de Hilton De Meillon Enviado el: jueves, 13 de junio de 2002 16:42 Para: Snort-users (E-mail) Asunto: [Snort-users] IDS126/X11_OUTGOING_XTERM ? Hey all, I get this sig popping up often: [**] [1:1227:2] X11 outbound client connection detected [**] [Classification: Misc activity] [Priority: 3] 06/13-17:23:19.974611 xxx.xxx.xx.x:6000 -> 64.4.13.218:1863 TCP TTL:128 TOS:0x0 ID:61991 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xB4D598E3 Ack: 0x18A95242 Win: 0x3C86 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS126] Thing is the destination is pointing to a hotmail host. 64.4.13.218 is msgr-cs110.msgr.hotmail.com. the source address is from our M$ ISA firewall. Any comments ??. Regards, Hilton De Meillon "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS126/X11_OUTGOING_XTERM ? Hilton De Meillon (Jun 13)
- RE: IDS126/X11_OUTGOING_XTERM ? Jordi Vila (Jun 13)