Re: IDS alert

["Michael Shirk" <shirkdog_linux () hotmail com>]

<"May 7 19:59:43  snort: [1:1010:5] WEB-IIS encoding access [Classification:
<access to a potentially vulnerable web application] [Priority: 2]: {TCP}
<63.208.194.89:80 -> xxx.xxx.xxx.xxx:2245 "

<Please let me know how should I make defense for this alert?  It comes very
<requently and with different source IP to different destination IP.

Not sure folks, this looks like return traffic from the source address. Here 
is some banner grabbing recon on port 80 of that source address:

Trying 63.208.194.89...
Connected to 63.208.194.89.
Escape character is '^]'.
Get /index.html http/1.1

HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 161
Expires: Mon, 10 May 2004 11:46:36 GMT
Date: Mon, 10 May 2004 11:46:36 GMT
Connection: close

<HTML><HEAD>
<TITLE>Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
</BODY>
</HTML>

_________________________________________________________________
Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! 
http://join.msn.com/?pgmarket=en-us&page=hotmail/es2&ST=1/go/onm00200362ave/direct/01/



-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users