Snort mailing list archives
Re: My Webservers Are Showing Up In My Alerts
From: "Vadim Pushkin" <wiskbroom () hotmail com>
Date: Fri, 14 Jun 2002 17:40:28 +0000
From: Matt Kettler <mkettler () evi-inc com>To: "Vadim Pushkin" <wiskbroom () hotmail com>, snort-users () lists sourceforge netSubject: Re: [Snort-users] My Webservers Are Showing Up In My Alerts Date: Thu, 13 Jun 2002 17:34:34 -0400Well, that's not surprising.. A lot of the alerts you see are likely to things like codered, IIS cmd.exe and other such things, directory traversals, etc.These usually represent actual attack attempt on your webserver. It is usually being done by a virus or an automated tool. It's not uncommon for a webserver to see dozens of these a day. The net is a brutal place, and it's not uncommon to see a network block have exploit attempts hundreds of times per day. Particularly if snort is watching unfiltered traffic in front of your firewall.My best recommendation is that if the alerts bother you, and you KNOW that your webserver cannot possibly be vulnerable, comment out the rule in the .rules file. (for example, if all your webservers are BSD or Linux Apache webservers it's pretty safe to comment out the cmd.exe rule).It is important to note however that they aren't false alerts, they
I disagree, I do believe that they may be attempts to misuse other webservers, my server is a squid proxy server, so it gets ALOT of stuff passing thru it. It is not my job to track each one down and determine if it is a legit use or not. -vadim Vadim (Ukranian Stallion) Pushkin _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Matt Kettler (Jun 13)
- <Possible follow-ups>
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts matt (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts matt (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Muhammad Faisal Rauf Danka (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 14)
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 14)