Snort mailing list archives
RE: Would you suspect?
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Thu, 11 Apr 2002 12:27:03 -0400
Not necessarily. This could be someone trying to list a virtual directory, but in many cases it could be someone using a script or scanning utility crawling your site. This generates a lot of 403's. If it's occuring many times from one source, this might indicate a scanner/crawler being used by that source. If it's occuring from MANY sources and only a few times for each source, it may indicate you have a problem on your site....such as a bad link sending people to a page where they don't have permission to view. Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com -----Original Message----- From: Ronneil Camara [mailto:ronneilc () remingtonltd com] Sent: Thursday, April 11, 2002 3:20 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Would you suspect? Hi guys, I am receiving a lot of alerts from my snort, WEB-MISC 403 Forbidden. The source is actually our web server going to a public ip address. Would you suspect that the destination ip is trying to hopefully, make a dir listing of our virtual directory? What's your analysis? Thanks. -neil 000 : 48 54 54 50 2F 31 2E 31 20 34 30 33 20 41 63 63 HTTP/1.1 403 Acc 010 : 65 73 73 20 46 6F 72 62 69 64 64 65 6E 0D 0A 53 ess Forbidden..S 020 : 65 72 76 65 72 3A 20 4D 69 63 72 6F 73 6F 66 74 erver: Microsoft 030 : 2D 49 49 53 2F 35 2E 30 0D 0A 44 61 74 65 3A 20 -IIS/5.0..Date: 040 : 54 68 75 2C 20 31 31 20 41 70 72 20 32 30 30 32 Thu, 11 Apr 2002 050 : 20 30 37 3A 31 34 3A 32 36 20 47 4D 54 0D 0A 43 07:14:26 GMT..C 060 : 6F 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 onnection: close 070 : 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 ..Content-Type: 080 : 74 65 78 74 2F 68 74 6D 6C 0D 0A 43 6F 6E 74 65 text/html..Conte 090 : 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 37 32 0D 0A nt-Length: 172.. 0a0 : 0D 0A 3C 68 74 6D 6C 3E 3C 68 65 61 64 3E 3C 74 ..<html><head><t 0b0 : 69 74 6C 65 3E 44 69 72 65 63 74 6F 72 79 20 4C itle>Directory L 0c0 : 69 73 74 69 6E 67 20 44 65 6E 69 65 64 3C 2F 74 isting Denied</t 0d0 : 69 74 6C 65 3E 3C 2F 68 65 61 64 3E 0A 3C 62 6F itle></head>.<bo 0e0 : 64 79 3E 3C 68 31 3E 44 69 72 65 63 74 6F 72 79 dy><h1>Directory 0f0 : 20 4C 69 73 74 69 6E 67 20 44 65 6E 69 65 64 3C Listing Denied< 100 : 2F 68 31 3E 54 68 69 73 20 56 69 72 74 75 61 6C /h1>This Virtual 110 : 20 44 69 72 65 63 74 6F 72 79 20 64 6F 65 73 20 Directory does 120 : 6E 6F 74 20 61 6C 6C 6F 77 20 63 6F 6E 74 65 6E not allow conten 130 : 74 73 20 74 6F 20 62 65 20 6C 69 73 74 65 64 2E ts to be listed. 140 : 3C 2F 62 6F 64 79 3E 3C 2F 68 74 6D 6C 3E </body></html> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Would you suspect? Ronneil Camara (Apr 11)
- Re: Would you suspect? Chris Green (Apr 11)
- <Possible follow-ups>
- RE: Would you suspect? Ronneil Camara (Apr 11)
- RE: Would you suspect? Sheahan, Paul (PCLN-NW) (Apr 11)
- RE: Would you suspect? Ronneil Camara (Apr 11)