Snort mailing list archives
Re: WEB-IIS MISC forbidden
From: <bthaler () webstream net>
Date: Fri, 15 Mar 2002 09:50:51 -0500
These alerts are generated when the web server responds to a request with a standard HTTP 403 error message. The two alerts go hand in hand, and are usually seen together. To answer your question, number 1 is correct. This rule is triggered by a response from the web server, indicating that someone has tried to access a forbidden page. In my experience, they are fairly harmless, and will just generate noise. Perhaps some people find value in them, but I tend to consider them "paranoid" rules. They can be triggered by anything from a bad link to a website, to a bad configuration of the web server (no default page in IIS for example). Without going into too much detail, I'll just say that I'm snorting "a lot" of traffic, and I have yet to see this alert triggered in response to anything hostile, although others' experience may differ. Sincerely, Brad T. Technical Support WebStream Internet Solutions brad () webstream net http://www.webstream.net (888) 932-2333 Toll-Free (954) 730-7127 Local (954) 733-7067 Fax (954) 730-7405 Help Desk *******************Internet Email Confidentiality Footer******************* This communication contains proprietary business information and may contain confidential information. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately destroy, discard, or erase this communication. ----- Original Message ----- From: "Gongya Yu" <yu () gongya net> To: <snort-users () lists sourceforge net> Sent: Saturday, April 13, 2002 1:01 AM Subject: [Snort-users] WEB-IIS MISC forbidden
Can anyone make a point to this for me ? [**] WEB-MISC 403 Forbidden [**] 08/26-15:06:23.980458 x.x.x.x:80-> y.y.y.y:4415 TCP TTL:128 TOS:0x0 ID:8823 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x844F6263 Ack: 0xC9FE43 Win: 0x443D TcpLen: 32 TCP Options (3) => NOP NOP TS: 8879756 12737173 [**] WEB-IIS Unauthorized IP Access Attempt [**] 08/26-15:06:23.980578 x.x.x.x:80-> y.y.y.y:4415 TCP TTL:128 TOS:0x0 ID:8824 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x844F680B Ack: 0xC9FE43 Win: 0x443D TcpLen: 32 TCP Options (3) => NOP NOP TS: 8879756 12737173 x.x.x.x generates these actively or is triggered by y.y.y.y, then generates these alerts ? What I mean is 1. y.y.y.y tries to access x.x.x.x on port 80 from source port 4415, then x.x.x.x responses with this alert ? 2. or x.x.x.x just tries to access y.y.y.y without any trigger from y.y.y.y thanks in advance !!! Snort user _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-IIS MISC forbidden Gongya Yu (Mar 14)
- Re: WEB-IIS MISC forbidden bthaler (Mar 15)
- Re: WEB-IIS MISC forbidden Gongya Yu (Mar 15)
- Re: WEB-IIS MISC forbidden Matt Kettler (Mar 15)
- Re: WEB-IIS MISC forbidden Gongya Yu (Mar 15)
- Re: WEB-IIS MISC forbidden bthaler (Mar 15)