Snort mailing list archives
Re: Should I worry??
From: Chris Adams <chris () improbable org>
Date: Tue, 25 Jun 2002 14:38:44 -0700
On Tuesday, June 25, 2002, at 09:41 , Anthony Scott wrote:
Received this alert from Snort: [**] [1:1227:2] X11 outbound client connection detected [**] [Classification: Misc activity] [Priority: 3] 06/24-10:37:44.575620 192.168.1.18:6000 -> 192.168.1.225:1984 TCP TTL:128 TOS:0x0 ID:12364 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x36B34774 Ack: 0x498A1D12 Win: 0x4470 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS126]
It's probably bogus - that rule is extremely false positive prone as it doesn't look for anything specific to X11, just the port number. We get these all the time on our web servers where the random high source port the browser used happens to be in the low 6000s. It'd be a good idea to double-check that someone hasn't installed X on one of those systems before disabling the rule, though.
Chris ------------------------------------------------------- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Should I worry?? Anthony Scott (Jun 25)
- Re: Should I worry?? Chris Adams (Jun 25)