Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Would you suspect?

From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Thu, 11 Apr 2002 12:27:03 -0400

Not necessarily. This could be someone trying to list a virtual directory,
but in many cases it could be someone using a script or scanning utility
crawling your site. This generates a lot of 403's. If it's occuring many
times from one source, this might indicate a scanner/crawler being used by
that source. If it's occuring from MANY sources and only a few times for
each source, it may indicate you have a problem on your site....such as a
bad link sending people to a page where they don't have permission to view.


Paul Sheahan
Manager of Information Security
Priceline.com
paul.sheahan () priceline com



-----Original Message-----
From: Ronneil Camara [mailto:ronneilc () remingtonltd com]
Sent: Thursday, April 11, 2002 3:20 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Would you suspect?


Hi guys,

I am receiving a lot of alerts from my snort, WEB-MISC 403 Forbidden.
The source is actually our web server going to a public ip address.
Would you suspect that the destination ip is trying to hopefully, make
a dir listing of our virtual directory? What's your analysis?

Thanks. -neil

000 : 48 54 54 50 2F 31 2E 31 20 34 30 33 20 41 63 63   HTTP/1.1 403 Acc
010 : 65 73 73 20 46 6F 72 62 69 64 64 65 6E 0D 0A 53   ess Forbidden..S
020 : 65 72 76 65 72 3A 20 4D 69 63 72 6F 73 6F 66 74   erver: Microsoft
030 : 2D 49 49 53 2F 35 2E 30 0D 0A 44 61 74 65 3A 20   -IIS/5.0..Date: 
040 : 54 68 75 2C 20 31 31 20 41 70 72 20 32 30 30 32   Thu, 11 Apr 2002
050 : 20 30 37 3A 31 34 3A 32 36 20 47 4D 54 0D 0A 43    07:14:26 GMT..C
060 : 6F 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65   onnection: close
070 : 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20   ..Content-Type: 
080 : 74 65 78 74 2F 68 74 6D 6C 0D 0A 43 6F 6E 74 65   text/html..Conte
090 : 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 37 32 0D 0A   nt-Length: 172..
0a0 : 0D 0A 3C 68 74 6D 6C 3E 3C 68 65 61 64 3E 3C 74   ..<html><head><t
0b0 : 69 74 6C 65 3E 44 69 72 65 63 74 6F 72 79 20 4C   itle>Directory L
0c0 : 69 73 74 69 6E 67 20 44 65 6E 69 65 64 3C 2F 74   isting Denied</t
0d0 : 69 74 6C 65 3E 3C 2F 68 65 61 64 3E 0A 3C 62 6F   itle></head>.<bo
0e0 : 64 79 3E 3C 68 31 3E 44 69 72 65 63 74 6F 72 79   dy><h1>Directory
0f0 : 20 4C 69 73 74 69 6E 67 20 44 65 6E 69 65 64 3C    Listing Denied<
100 : 2F 68 31 3E 54 68 69 73 20 56 69 72 74 75 61 6C   /h1>This Virtual
110 : 20 44 69 72 65 63 74 6F 72 79 20 64 6F 65 73 20    Directory does 
120 : 6E 6F 74 20 61 6C 6C 6F 77 20 63 6F 6E 74 65 6E   not allow conten
130 : 74 73 20 74 6F 20 62 65 20 6C 69 73 74 65 64 2E   ts to be listed.
140 : 3C 2F 62 6F 64 79 3E 3C 2F 68 74 6D 6C 3E         </body></html>

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: