Snort mailing list archives

Re: WEB-ATTACKS id command attempt

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 15 Apr 2002 12:10:50 -0700 (PDT)

On Mon, 15 Apr 2002, John-Magne Bredal wrote:

I get an awful lot of these alarms on the network I am monitoring. Does
anyone know what this alert actually tells me (there are no reference in
ACID which I am using), and perhaps a reason why there are so many alerts?
They come from a relatively little amount of boxes, but those boxes are
spamming madly though.

Anyone that can inform me :)


Take a look at the actual packet payload and see what's going on.  From the
way the rule looks:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-ATTACKS id command
attempt"; flags:A+; content:"\;id";nocase; sid:1333; rev:1;
classtype:web-application-attack;)

It _could_ be a false positive.  But--You can't be sure without digging into
the packet and checking it out.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

WEB-ATTACKS id command attempt John-Magne Bredal (Apr 15)
- Re: WEB-ATTACKS id command attempt Erek Adams (Apr 15)
- <Possible follow-ups>
- RE: WEB-ATTACKS id command attempt Gray . Brendan (Apr 15)
  - Re: WEB-ATTACKS id command attempt Phil Wood (Apr 15)
- Re: WEB-ATTACKS id command attempt Piotr Bulczak (Apr 15)