Snort mailing list archives
RE: Unusual http traffic
From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Tue, 23 Oct 2001 14:06:21 -0400
They're from an IIS server.
-----Original Message----- From: Chris Green [mailto:cmg () uab edu] Sent: Monday, October 22, 2001 5:01 PM To: Fraser Hugh Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Unusual http traffic Fraser Hugh <hugh_fraser () dofasco ca> writes:1. (*) text/plain ( ) text/html I've turned off the Code Red and Nimda alert rules since we've comfortable with our ability to deal with those on the servers themselves. It's more the balance of the URL that looked unusual.Is your webserver where you got those logs from? It really looks like your webserver is interpreting the extra characters that form the /../ part as TLS/SSL control commands. What webserver is that? If you turned off the rules, you're not going to see that. Cmd.exe rules catch common attacks from several differnt types and not just code red but they certainly aren't 100% reliable. -- Chris Green <cmg () uab edu> I've had a perfectly wonderful evening. But this wasn't it. -- Groucho Marx
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unusual http traffic Fraser Hugh (Oct 22)
- <Possible follow-ups>
- RE: Unusual http traffic Kevin Brown (Oct 22)
- RE: Unusual http traffic Fraser Hugh (Oct 22)
- Re: Unusual http traffic Chris Green (Oct 22)
- RE: Unusual http traffic Fraser Hugh (Oct 23)