Snort mailing list archives

Re: what does this mean?

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 21 Aug 2002 15:58:14 -0400

It means you have HTTP_SERVERS set to 'any' and the snort sensorfalse-positived when it saw /rksh as part of a link on a microsoft.comwebsite. (it saw the first part of "/rkshared.js")

Change your HTTP_SERVERS in your snort.conf to only watch your ownwebservers.. Unless of course you suspect someone inside your network islikely to launch attacks on outside websites.


At 03:22 PM 8/21/2002 -0400, lisa foreman wrote:

[**] WEB-CGI rksh access [**]
08/21-15:16:12.241065 0:6:5B:CD:F1:44 -> 0:0:C:E:39:55 type:0x800 len:0x1E6
165.x.x.x:1205 -> 207.46.230.220:80 TCP TTL:128 TOS:0x0 ID:17900 IpLen:20
DgmLen:472 DF
***AP*** Seq: 0x9F726659  Ack: 0x2634031F  Win: 0x40B0  TcpLen: 20
47 45 54 20 2F 77 69 6E 64 6F 77 73 32 30 30 30  GET /windows2000
2F 74 65 63 68 69 6E 66 6F 2F 72 65 73 6B 69 74  /techinfo/reskit
2F 65 6E 2F 49 6E 74 77 6F 72 6B 2F 72 6B 73 68  /en/Intwork/rksh
61 72 65 64 2E 6A 73 20 48 54 54 50 2F 31 2E 31  ared.js




-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

what does this mean? lisa foreman (Aug 21)
- Re: what does this mean? Larc (Aug 21)
- Re: what does this mean? Matt Kettler (Aug 21)
- <Possible follow-ups>
- RE: what does this mean? McCammon, Keith (Aug 21)