RE: WEB-ATTACKS id command attempt

["Gray . Brendan" <bgray2 () drc com>]

I have a similiar strange issue with that sig.  My server is showing up as a
source of the alerts, but when I check the payload, it shows my server being
the target of a nimda attack, from which my server responds with a "403"
access forbidden" (my servers restrict who can view them by IP address).  

It alarms me to see my server as the source of an attack, but it seems it
isn't really the source.  I'm running Snort 1.8.3-5 (red hat rpm). I wonder
why my server is showing up as a source, when all its doing is replying with
a 403.

Brendan



-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net]
Sent: Monday, April 15, 2002 3:11 PM
To: John-Magne Bredal
Cc: snort
Subject: Re: [Snort-users] WEB-ATTACKS id command attempt


On Mon, 15 Apr 2002, John-Magne Bredal wrote:

> I get an awful lot of these alarms on the network I am monitoring. Does
> anyone know what this alert actually tells me (there are no reference in
> ACID which I am using), and perhaps a reason why there are so many alerts?
> They come from a relatively little amount of boxes, but those boxes are
> spamming madly though.
>
> Anyone that can inform me :)

Take a look at the actual packet payload and see what's going on.  From the
way the rule looks:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-ATTACKS id command
attempt"; flags:A+; content:"\;id";nocase; sid:1333; rev:1;
classtype:web-application-attack;)

It _could_ be a false positive.  But--You can't be sure without digging into
the packet and checking it out.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users