Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Should I worry??

From: Chris Adams <chris () improbable org>
Date: Tue, 25 Jun 2002 14:38:44 -0700
On Tuesday, June 25, 2002, at 09:41 , Anthony Scott wrote:

Received this alert from Snort:
 
[**] [1:1227:2] X11 outbound client connection detected [**]
[Classification: Misc activity] [Priority: 3]
06/24-10:37:44.575620 192.168.1.18:6000 -> 192.168.1.225:1984
TCP TTL:128 TOS:0x0 ID:12364 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x36B34774 Ack: 0x498A1D12 Win: 0x4470 TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS126]
It's probably bogus - that rule is extremely false positive prone as it doesn't look for anything specific to X11, just the port number. We get these all the time on our web servers where the random high source port the browser used happens to be in the low 6000s. It'd be a good idea to double-check that someone hasn't installed X on one of those systems before disabling the rule, though. 

Chris



-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members!
JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: