Snort mailing list archives
RE: WEB-ATTACKS id command attempt
From: "Gray . Brendan" <bgray2 () drc com>
Date: Mon, 15 Apr 2002 15:39:01 -0400
I have a similiar strange issue with that sig. My server is showing up as a source of the alerts, but when I check the payload, it shows my server being the target of a nimda attack, from which my server responds with a "403" access forbidden" (my servers restrict who can view them by IP address). It alarms me to see my server as the source of an attack, but it seems it isn't really the source. I'm running Snort 1.8.3-5 (red hat rpm). I wonder why my server is showing up as a source, when all its doing is replying with a 403. Brendan -----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Monday, April 15, 2002 3:11 PM To: John-Magne Bredal Cc: snort Subject: Re: [Snort-users] WEB-ATTACKS id command attempt On Mon, 15 Apr 2002, John-Magne Bredal wrote:
I get an awful lot of these alarms on the network I am monitoring. Does anyone know what this alert actually tells me (there are no reference in ACID which I am using), and perhaps a reason why there are so many alerts? They come from a relatively little amount of boxes, but those boxes are spamming madly though. Anyone that can inform me :)
Take a look at the actual packet payload and see what's going on. From the way the rule looks: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-ATTACKS id command attempt"; flags:A+; content:"\;id";nocase; sid:1333; rev:1; classtype:web-application-attack;) It _could_ be a false positive. But--You can't be sure without digging into the packet and checking it out. Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-ATTACKS id command attempt John-Magne Bredal (Apr 15)
- Re: WEB-ATTACKS id command attempt Erek Adams (Apr 15)
- <Possible follow-ups>
- RE: WEB-ATTACKS id command attempt Gray . Brendan (Apr 15)
- Re: WEB-ATTACKS id command attempt Phil Wood (Apr 15)
- Re: WEB-ATTACKS id command attempt Piotr Bulczak (Apr 15)