Snort mailing list archives
Re: IDS alert
From: "Michael Shirk" <shirkdog_linux () hotmail com>
Date: Mon, 10 May 2004 07:48:36 -0400
<"May 7 19:59:43 snort: [1:1010:5] WEB-IIS encoding access [Classification: <access to a potentially vulnerable web application] [Priority: 2]: {TCP} <63.208.194.89:80 -> xxx.xxx.xxx.xxx:2245 " <Please let me know how should I make defense for this alert? It comes very <requently and with different source IP to different destination IP.Not sure folks, this looks like return traffic from the source address. Here is some banner grabbing recon on port 80 of that source address:
Trying 63.208.194.89... Connected to 63.208.194.89. Escape character is '^]'. Get /index.html http/1.1 HTTP/1.0 400 Bad Request Server: AkamaiGHost Mime-Version: 1.0 Content-Type: text/html Content-Length: 161 Expires: Mon, 10 May 2004 11:46:36 GMT Date: Mon, 10 May 2004 11:46:36 GMT Connection: close <HTML><HEAD> <TITLE>Bad Request</TITLE> </HEAD><BODY> <H1>Bad Request</H1> Your browser sent a request that this server could not understand.<P> </BODY> </HTML> _________________________________________________________________Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! http://join.msn.com/?pgmarket=en-us&page=hotmail/es2&ST=1/go/onm00200362ave/direct/01/
------------------------------------------------------- This SF.Net email is sponsored by Sleepycat SoftwareLearn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS alert Naveen C Joshi (May 08)
- Re: IDS alert Ravi (May 08)
- <Possible follow-ups>
- Re: IDS alert Michael Shirk (May 10)