Snort mailing list archives
Re: please help ID payload info
From: Robby Desmond <rdesmond () els ucsb edu>
Date: Tue, 15 Oct 2002 10:00:18 -0700
At 09:46 AM 10/15/02 -0600, Randy Bey wrote:
I am getting a WEB-MISC /etc/passwd hit occasionally, and it has me worried. How the heck are they getting what looks like the contents of the /etc directory?
To me, it looks like Snort is sniffing traffic related to system administration tasks. My box doesn't fire when FreeBSD emails me the nightly alerts, but if your scripts run over the web, then they could trigger it.
I don't understand how it gets there, I have authentication set up on the server, so a plain old HEAD shouldn't work, but the payload looks like the output of an email that is routinely sent out with the 'ASET' job that I run daily. ASET is a Solaris thingie that does some HIDS stuff.
Again, I haven't had my Tripwire reports trigger alerts, but it might be because of how they are sent.
I looked in access_log on the web server and all I see is 401's (authentication required) for all HEAD type requests. So why is this data here?
<SNIP!>Well, my thinking is that your ASET tool is doing reporting over a channel that Snort monitors. And since the content matches the /etc/passwd rule, it triggers an alert.
I would check to see if the time of the alert corresponds to the time when ASET runs.
Does ASET generate web-based reports by any chance? -Robby Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906 ------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- please help ID payload info Randy Bey (Oct 15)
- Re: please help ID payload info Matt Kettler (Oct 15)
- Re: please help ID payload info Robby Desmond (Oct 17)
- Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- AW: Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- AW: Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- <Possible follow-ups>
- RE: please help ID payload info Randy Bey (Oct 15)
- RE: please help ID payload info twig les (Oct 15)
- RE: please help ID payload info matthew . keay (Oct 17)
- RE: please help ID payload info matthew . keay (Oct 17)